From 0b457cedf90806fb79ba1b619aee0e00c6ebd78b Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 17:43:45 +0200
Subject: [PATCH 1/9] =?UTF-8?q?Add=20PHP=208=20Support=20=F0=9F=8E=89=20Si?=
=?UTF-8?q?gned-off-by:=20Sherif=20Abdel-Naby=20<sherifabdlnaby@gmail.com>?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.github/workflows/snyk-container.yml | 49 +++++++++--------
Dockerfile | 62 +++++++++++++++-------
docker-compose.prod.yml | 3 ++
docker-compose.yml | 12 ++---
docker/nginx/conf.d/{php.conf => app.conf} | 33 ++++++++----
docker/nginx/dev/certs/dev-selfsigned.crt | 17 ++++++
docker/nginx/dev/certs/dev-selfsigned.key | 28 ++++++++++
docker/nginx/dev/dev-https.conf | 16 ++++++
docker/nginx/nginx.conf | 12 ++---
docker/post-build-dev | 2 +-
10 files changed, 170 insertions(+), 64 deletions(-)
rename docker/nginx/conf.d/{php.conf => app.conf} (71%)
create mode 100644 docker/nginx/dev/certs/dev-selfsigned.crt
create mode 100644 docker/nginx/dev/certs/dev-selfsigned.key
create mode 100644 docker/nginx/dev/dev-https.conf
diff --git a/.github/workflows/snyk-container.yml b/.github/workflows/snyk-container.yml
index 7ee9f47..e9f8530 100644
--- a/.github/workflows/snyk-container.yml
+++ b/.github/workflows/snyk-container.yml
@@ -15,7 +15,7 @@ name: Snyk Container
on:
push:
- branches: [ master ]
+ branches: [ php-8 ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
@@ -26,23 +26,30 @@ jobs:
snyk:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
- - name: Build a Docker image
- run: docker build -t your/image-to-test .
- - name: Run Snyk to check Docker image for vulnerabilities
- # Snyk can be used to break the build when it detects vulnerabilities.
- # In this case we want to upload the issues to GitHub Code Scanning
- continue-on-error: true
- uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
- env:
- # In order to use the Snyk Action you will need to have a Snyk API token.
- # More details in https://github.com/snyk/actions#getting-your-snyk-token
- # or you can signup for free at https://snyk.io/login
- SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- with:
- image: your/image-to-test
- args: --file=Dockerfile
- - name: Upload result to GitHub Code Scanning
- uses: github/codeql-action/upload-sarif@v1
- with:
- sarif_file: snyk.sarif
+ - uses: actions/checkout@v2
+ - name: Install Demo App
+ uses: php-actions/composer@v6
+ with:
+ dev: no
+ command: create-project
+ args: symfony/symfony-demo app
+ php_version: 7.4
+ - name: Build a Docker image
+ run: make deploy
+ - name: Run Snyk to check Docker image for vulnerabilities
+ # Snyk can be used to break the build when it detects vulnerabilities.
+ # In this case we want to upload the issues to GitHub Code Scanning
+ continue-on-error: true
+ uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
+ env:
+ # In order to use the Snyk Action you will need to have a Snyk API token.
+ # More details in https://github.com/snyk/actions#getting-your-snyk-token
+ # or you can signup for free at https://snyk.io/login
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+ with:
+ image: your/image-to-test
+ args: --file=Dockerfile
+ - name: Upload result to GitHub Code Scanning
+ uses: github/codeql-action/upload-sarif@v1
+ with:
+ sarif_file: snyk.sarif
diff --git a/Dockerfile b/Dockerfile
index 1265cf5..e95114d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,11 @@
# ---------------------------------------------- Build Time Arguments --------------------------------------------------
ARG PHP_VERSION="7.4"
ARG NGINX_VERSION="1.17.4"
-ARG COMPOSER_VERSION="2.0"
-ARG XDEBUG_VERSION="3.0.3"
+ARG COMPOSER_VERSION="2"
+ARG XDEBUG_VERSION="3.1.3"
ARG COMPOSER_AUTH
+ARG APP_BASE_DIR="."
+
# -------------------------------------------------- Composer Image ----------------------------------------------------
FROM composer:${COMPOSER_VERSION} as composer
@@ -45,21 +47,33 @@ RUN apk add --no-cache --virtual .build-deps \
pdo_mysql \
zip \
# Pecl Extensions -------------------------------- \
- && pecl install apcu-5.1.20 && docker-php-ext-enable apcu \
+ && pecl install apcu && docker-php-ext-enable apcu \
# ---------------------------------------------------------------------
# Install Xdebug at this step to make editing dev image cache-friendly, we delete xdebug from production image later
&& pecl install xdebug-${XDEBUG_VERSION} \
# Cleanup ---------------------------------------- \
# - Detect Runtime Dependencies of the installed extensions. \
- # - src: https://github.com/docker-library/wordpress/blob/master/latest/php7.4/fpm-alpine/Dockerfile \
- && runDeps="$( \
- scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
- | tr ',' '\n' | sort -u | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
- )"; \
- # Save Runtime Deps in a virtual deps
- apk add --no-network --virtual .php-extensions-rundeps $runDeps; \
- # Uninstall Everything we Installed (minus the runtime Deps)
- apk del --no-network .build-deps
+ # - src: https://github.com/docker-library/wordpress/blob/master/latest/php8.0/fpm-alpine/Dockerfile \
+ out="$(php -r 'exit(0);')"; \
+ [ -z "$out" ]; \
+ err="$(php -r 'exit(0);' 3>&1 1>&2 2>&3)"; \
+ [ -z "$err" ]; \
+ \
+ extDir="$(php -r 'echo ini_get("extension_dir");')"; \
+ [ -d "$extDir" ]; \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive "$extDir" \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+ )"; \
+ # Save Runtime Deps in a virtual deps
+ apk add --no-network --virtual .php-extensions-rundeps $runDeps; \
+ # Uninstall Everything we Installed (minus the runtime Deps)
+ apk del --no-network .build-deps; \
+ # check for output like "PHP Warning: PHP Startup: Unable to load dynamic library 'foo' (tried: ...)
+ err="$(php --version 3>&1 1>&2 2>&3)"; [ -z "$err" ]
+# -----------------------------------------------
# ------------------------------------------------- Permissions --------------------------------------------------------
@@ -126,13 +140,17 @@ FROM composer as vendor
ARG PHP_VERSION
ARG COMPOSER_AUTH
+ARG APP_BASE_DIR
+
# A Json Object with remote repository token to clone private Repos with composer
# Reference: https://getcomposer.org/doc/03-cli.md#composer-auth
ENV COMPOSER_AUTH $COMPOSER_AUTH
+WORKDIR /app
+
# Copy Dependencies files
-COPY composer.json composer.json
-COPY composer.lock composer.lock
+COPY $APP_BASE_DIR/composer.json composer.json
+COPY $APP_BASE_DIR/composer.lock composer.lock
# Set PHP Version of the Image
RUN composer config platform.php ${PHP_VERSION}
@@ -147,6 +165,7 @@ RUN composer install -n --no-progress --ignore-platform-reqs --no-dev --prefer-d
FROM base AS app
+ARG APP_BASE_DIR
USER root
# Copy Prod Scripts && delete xdebug
@@ -164,10 +183,10 @@ USER www-data
COPY --chown=www-data:www-data --from=vendor /app/vendor /app/vendor
# Copy App Code
-COPY --chown=www-data:www-data . .
+COPY --chown=www-data:www-data $APP_BASE_DIR/ .
-# Run Composer Install again
-# ( this time to run post-install scripts, autoloader, and post-autoload scripts using one command )
+## Run Composer Install again
+## ( this time to run post-install scripts, autoloader, and post-autoload scripts using one command )
RUN post-build-base && post-build-prod
ENTRYPOINT ["entrypoint-prod"]
@@ -188,7 +207,7 @@ ENV APP_DEBUG 1
USER root
# For Composer Installs
-RUN apk add git openssh; \
+RUN apk --no-cache add git openssh; \
# Enable Xdebug
docker-php-ext-enable xdebug
@@ -255,7 +274,12 @@ FROM nginx AS web
# Copy Public folder + Assets that's going to be served from Nginx
COPY --chown=www-data:www-data --from=app /app/public /app/public
-# ----------------------------------------------------- NGINX ----------------------------------------------------------
+# ======================================================================================================================
+# --- NGINX DEV ---
+# ======================================================================================================================
FROM nginx AS web-dev
ENV NGINX_LOG_FORMAT "combined"
+
+COPY --chown=www-data:www-data docker/nginx/dev/*.conf /etc/nginx/conf.d/
+COPY --chown=www-data:www-data docker/nginx/dev/certs/ /etc/nginx/certs/
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 4873611..997b929 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -9,12 +9,15 @@ services:
# To authenticate to private registry either use username / password, or Oauth key/secret / etc
# Please add Composer Auth JSON Object
COMPOSER_AUTH: "{}"
+ APP_BASE_DIR: ${APP_BASE_DIR-.}
restart: unless-stopped
web:
build:
context: .
target: web
+ args:
+ APP_BASE_DIR: ${APP_BASE_DIR-.}
restart: unless-stopped
environment:
# The Hostname for the FPM (needs to match the hostname for the `app`)
diff --git a/docker-compose.yml b/docker-compose.yml
index 2cf2921..ba06d0d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,19 +9,22 @@ services:
# To authenticate to private registry either use username / password, or Oauth key/secret / etc
# Please add Composer Auth JSON Object
COMPOSER_AUTH: "{}"
+ APP_BASE_DIR: ${APP_BASE_DIR-.}
restart: unless-stopped
environment:
# For Xdebuger to work, it needs the docker host ID
# - in Mac AND Windows, `host.docker.internal` resolve to Docker host IP
# - in Linux, `172.17.0.1` is the host IP
- XDEBUG_CLIENT_HOST: 'host.docker.internal'
+ XDEBUG_CLIENT_HOST: ${XDEBUG_CLIENT_HOST-host.docker.internal}
volumes:
- - .:/app
+ - ${APP_BASE_DIR-.}:/app
web:
build:
context: .
target: web-dev
+ args:
+ APP_BASE_DIR: ${APP_BASE_DIR-.}
restart: unless-stopped
ports:
- 8080:8080
@@ -29,7 +32,4 @@ services:
# The Hostname for the FPM (needs to match the hostname for the `app`)
PHP_FPM_HOST: app
volumes:
- - ./public:/app/public
- depends_on:
- app:
- condition: service_healthy
\ No newline at end of file
+ - ${APP_BASE_DIR-.}/public:/app/public
\ No newline at end of file
diff --git a/docker/nginx/conf.d/php.conf b/docker/nginx/conf.d/app.conf
similarity index 71%
rename from docker/nginx/conf.d/php.conf
rename to docker/nginx/conf.d/app.conf
index 000c366..6736879 100644
--- a/docker/nginx/conf.d/php.conf
+++ b/docker/nginx/conf.d/app.conf
@@ -1,3 +1,12 @@
+upstream backend {
+ # The number of idle keepalive connections to an upstream server that remain open for each worker process
+ server ${PHP_FPM_HOST}:${PHP_FPM_PORT};
+ keepalive 40;
+ keepalive_requests 250; # Must be less than php-fpm.conf:pm.max_requests
+ keepalive_timeout 10;
+}
+
+
server {
listen 8080;
listen [::]:8080;
@@ -6,7 +15,7 @@ server {
set $base /app;
root $base/public;
- # deny all dot files
+ # deny all dot files except .well-known
location ~ /\.(?!well-known) {
deny all;
}
@@ -14,16 +23,18 @@ server {
# index.php
index index.php;
- # index.php fallback
- location / {
- # try to serve file directly, fallback to index.php
- try_files $uri /index.php$is_args$args;
- }
- # Disable falling back to PHP script for the asset directories;
- location /bundles {
- try_files $uri =404;
- }
+
+ # index.php fallback
+ location / {
+ # try to serve file directly, fallback to index.php
+ try_files $uri /index.php$is_args$args;
+ }
+
+ # Disable falling back to PHP script for the asset directories;
+ location ~ ^/(public|bundles)/ {
+ try_files $uri =404;
+ }
# handle non-files
location ~ ^/index\.php(/|$) {
@@ -31,7 +42,7 @@ server {
include fastcgi_params;
# fastcgi settings
- fastcgi_pass ${PHP_FPM_HOST}:${PHP_FPM_PORT};
+ fastcgi_pass backend;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
diff --git a/docker/nginx/dev/certs/dev-selfsigned.crt b/docker/nginx/dev/certs/dev-selfsigned.crt
new file mode 100644
index 0000000..abf28c5
--- /dev/null
+++ b/docker/nginx/dev/certs/dev-selfsigned.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxDCCAawCCQCUYv2tOO4zGDANBgkqhkiG9w0BAQsFADAkMRAwDgYDVQQKDAdr
+dWJlcGhwMRAwDgYDVQQDDAdrdWJlcGhwMB4XDTIyMDIyNTE0MzEwNloXDTMyMDIy
+MzE0MzEwNlowJDEQMA4GA1UECgwHa3ViZXBocDEQMA4GA1UEAwwHa3ViZXBocDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLdT4dDwxjNfc1POHfy/pTf
+JBGonmisS1i0NlN/sSz+QrktsyNtH3dvAJp/kHnOoTGgY3QyDCBNtr8/mULLig7B
+aAfGNDDuWJm7ayahxLoCfk2DZTcSf3NoOIPpvimwLfKxFOtuyOF742Lz3E3gVQ5+
+aDsePRp8NPSc1dBzGkrxGkPLvv4GGa8+MzeznKSamDOQ4fdqGdJyCOvTcYl2Pu4E
+ON6F5Z9cFOVu44l6VL7SzGpI86X6XGJY34PJ+KXg47Hs6/kGDt2UocgI0K3PfhDj
+6FlAf6ZeQ2GG//JRCPmWt4/womawo9nVHKtIkNMq20Ja3ITXrQ//Gism6HHZFEMC
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAH3jtGiuTaga9O+83MJNW4XursYhR0VHs
+BXDmWr87uXuKemAhBiN+YvWVkLu/Egr1lSWiQoO3besPQnQu75fEwTNpkBZliS3+
+Rm5rtf+7stAC9vTKKaljksGj9ipnTktvwM2WjqrfnpYPokGIHsNOZRf9GXNXfAOw
+YBKEz0sd8D3C26EgJjX9thoEW+pt2HkFYqp40jp8x3mGWXHTX2jpcXoyD1F2oB1i
+4G4GHR5pSz79OGrO7YdR8g/8mV5lMmcVwzbX/lIVmBVAdXeC/CDQFW8I9B0eCHHJ
+vCWTwoIb6aDWsDVKCqmot7CXczze5tvYomxZiEddq2vtSvfpduFlmw==
+-----END CERTIFICATE-----
diff --git a/docker/nginx/dev/certs/dev-selfsigned.key b/docker/nginx/dev/certs/dev-selfsigned.key
new file mode 100644
index 0000000..492b3a3
--- /dev/null
+++ b/docker/nginx/dev/certs/dev-selfsigned.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCy3U+HQ8MYzX3N
+Tzh38v6U3yQRqJ5orEtYtDZTf7Es/kK5LbMjbR93bwCaf5B5zqExoGN0MgwgTba/
+P5lCy4oOwWgHxjQw7liZu2smocS6An5Ng2U3En9zaDiD6b4psC3ysRTrbsjhe+Ni
+89xN4FUOfmg7Hj0afDT0nNXQcxpK8RpDy77+BhmvPjM3s5ykmpgzkOH3ahnScgjr
+03GJdj7uBDjeheWfXBTlbuOJelS+0sxqSPOl+lxiWN+Dyfil4OOx7Ov5Bg7dlKHI
+CNCtz34Q4+hZQH+mXkNhhv/yUQj5lreP8KJmsKPZ1RyrSJDTKttCWtyE160P/xor
+Juhx2RRDAgMBAAECggEBALLPVksGbgrkm6hdUzlu3h0b+mYA6OQBoo16E3lkBU7S
+nQec7SI0XCm8+aB6eIedDz6adfJaeg7tQg1tWh0Rd+IKbaKf/dsQ29hMKfGD9TRz
+e6qn+c6Vmn5YKW+OhEIO09B0QVKf/QiWHpr06T+dTcrgifjX4QQSOap1A7eQ6i8R
+ryXdALrfG70RTYHSKu9B2mjn4vOXl0YNBhNlNAN5GBRh6iaqmSxRMWfURNK2P9Tc
+lcHJFMW7duue38q6U5hPrVK/euXUtEoEDFXRzBXAZ2jcOzKxfJ6ZHXgP1wmWC6hS
+fLWpnc2f7uc5A5EAS2cOOZBLbTZFkiGB1FSfmB+Bf6ECgYEA3kVeBE6Xv/E7PgPJ
+AHQnMoISREASNxxS7Foly4VelzsL9qXO8Xb6hK/y/Cx6X5LFX108LvKLCn2d09qG
+HPseA/A54uw2uUPztFNpHOnLgBCMo0qu4Rsp/FsermcUvTy8XL4NeUMM85vAJ4dQ
+BjwDs7iDjZ7lVR0my5PJVEcXVZMCgYEAzgG30pdUuTrsL/Am5+ilR7qC/S7zOF/W
+aQvvcX2EjzqtViCcalk80sJmsCLrkx2p8Qx54z3jW9pie6z6A90bVrAZ7QprjhMZ
+mw+kEy+Me/htCp1Oh0Bj/X/GBGYVdJyEz3BkmUe4oUTQikYGNTN3INrTVBiiUpte
+2r1QeHKZdJECgYAO6MBBsbPkIB5FLqPQ7/mhHbBz+4g9Qh0d1X4rhKqvojpPNRgI
+gl6Tf+ngmGss9f9fQjXDQGmrLnnjuAi+8Ok2gmqfmhChpLk4I1AtrFEGKhYE7gGE
+//l0//ey4x81AlnwLp9gvuqjfJMLE7x+bpAhAgNxAHOJngb4KNWcXZhnGQKBgBwe
+Den3b7/sc+pDG/xRO6XjphdKfjX2lrw1vdO+rwYhmyEDSHYXgf6+O+fUjFTDGrvk
+2QoUG2EhGIoK3QED/8RAOvmoj2+P2dHZO6rGtaUCDlgBioNZXYxvESbujAUji9kI
+XSKysFeKnfARiK1gPeVFGM0Eo7skq7itWDtoYNuRAoGBAMpxteZlaIFY4Z0AIJ/Y
+MkkIWIq0OujGD2ApXFXw6Dh3KHyF5z4YMUVIKYKW/dMDYd2WRPYFD6AZiWBFQadA
+YUg0ks7ayF1FSPn2kldyr3AIysJjs6EGaj3svDN3rmIlLkS7vyYp0xfP7JG8l8Vm
+Dq7DO0YZ9hJs1M/np0HU8z7f
+-----END PRIVATE KEY-----
diff --git a/docker/nginx/dev/dev-https.conf b/docker/nginx/dev/dev-https.conf
new file mode 100644
index 0000000..1ad0c13
--- /dev/null
+++ b/docker/nginx/dev/dev-https.conf
@@ -0,0 +1,16 @@
+server {
+ listen 443 ssl;
+ server_name localhost;
+
+ ssl_certificate /etc/nginx/certs/dev-selfsigned.crt;
+ ssl_certificate_key /etc/nginx/certs/dev-selfsigned.key;
+
+ location / {
+ access_log off;
+ proxy_pass http://127.0.0.1:8080;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ }
+}
\ No newline at end of file
diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf
index decf0c9..b9325d6 100644
--- a/docker/nginx/nginx.conf
+++ b/docker/nginx/nginx.conf
@@ -16,7 +16,7 @@ http {
# send headers in one piece, it is better than sending them one by one
tcp_nopush on;
- # don't buffer data sent, good for small data bursts in real time
+ # don't buffer data sent, good for small data bursts in real time
tcp_nodelay on;
# allow the server to close connection on non responding client, this will free up memory
@@ -28,8 +28,8 @@ http {
log_not_found off;
types_hash_max_size 2048;
- # if the request body size is more than the buffer size, then the entire (or partial)
- # request body is written into a temporary file
+ # if the request body size is more than the buffer size, then the entire (or partial)
+ # request body is written into a temporary file
client_body_buffer_size 128k;
# maximum body size
@@ -40,9 +40,9 @@ http {
# cache information about FDs, frequently accessed files
open_file_cache max=200000 inactive=20s;
- open_file_cache_valid 30s;
- open_file_cache_min_uses 2;
- open_file_cache_errors on;
+ open_file_cache_valid 60s;
+ open_file_cache_min_uses 5;
+ open_file_cache_errors off;
# MIME
include mime.types;
diff --git a/docker/post-build-dev b/docker/post-build-dev
index 7de4c81..9b1daac 100644
--- a/docker/post-build-dev
+++ b/docker/post-build-dev
@@ -7,4 +7,4 @@ echo "► Running Composer Install..."
composer install
echo "► Checking Platform Requirements"
-composer check-platform-reqs
\ No newline at end of file
+#composer check-platform-reqs
\ No newline at end of file
From bc1d25fa3f9d3fb28edaf6f4e3358c349800f49c Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 18:16:24 +0200
Subject: [PATCH 2/9] =?UTF-8?q?Add=20CI=20=F0=9F=8E=89=20=F0=9F=A4=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
---
.../{snyk-container.yml => build-test-scan.yml} | 13 +++++++------
Dockerfile | 2 +-
docker-compose.prod.yml | 5 ++++-
docker-compose.yml | 5 ++++-
4 files changed, 16 insertions(+), 9 deletions(-)
rename .github/workflows/{snyk-container.yml => build-test-scan.yml} (87%)
diff --git a/.github/workflows/snyk-container.yml b/.github/workflows/build-test-scan.yml
similarity index 87%
rename from .github/workflows/snyk-container.yml
rename to .github/workflows/build-test-scan.yml
index e9f8530..cb2bfbe 100644
--- a/.github/workflows/snyk-container.yml
+++ b/.github/workflows/build-test-scan.yml
@@ -11,7 +11,7 @@
# issues, monitor images for newly disclosed vulnerabilities in Snyk and
# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
-name: Snyk Container
+name: Build, Test, and Scan
on:
push:
@@ -23,7 +23,7 @@ on:
- cron: '41 5 * * 5'
jobs:
- snyk:
+ Build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
@@ -32,10 +32,12 @@ jobs:
with:
dev: no
command: create-project
- args: symfony/symfony-demo app
+ args: --no-install --no-scripts symfony/symfony-demo app
php_version: 7.4
- - name: Build a Docker image
+ - name: Build & Deploy
run: make deploy
+ - name: Test the App Startup
+ run: sleep 5 && curl localhost:8080 -I
- name: Run Snyk to check Docker image for vulnerabilities
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning
@@ -47,8 +49,7 @@ jobs:
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
- image: your/image-to-test
- args: --file=Dockerfile
+ image: kubephp_app:latest kubephp_web:latest
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
diff --git a/Dockerfile b/Dockerfile
index e95114d..dbe7bc4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
# ---------------------------------------------- Build Time Arguments --------------------------------------------------
ARG PHP_VERSION="7.4"
-ARG NGINX_VERSION="1.17.4"
+ARG NGINX_VERSION="1.20.1"
ARG COMPOSER_VERSION="2"
ARG XDEBUG_VERSION="3.1.3"
ARG COMPOSER_AUTH
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 997b929..86b8250 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -23,4 +23,7 @@ services:
# The Hostname for the FPM (needs to match the hostname for the `app`)
PHP_FPM_HOST: app
ports:
- - 8080:8080
\ No newline at end of file
+ - 8080:8080
+ depends_on:
+ app:
+ condition: service_healthy
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index ba06d0d..f952681 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -32,4 +32,7 @@ services:
# The Hostname for the FPM (needs to match the hostname for the `app`)
PHP_FPM_HOST: app
volumes:
- - ${APP_BASE_DIR-.}/public:/app/public
\ No newline at end of file
+ - ${APP_BASE_DIR-.}/public:/app/public
+ depends_on:
+ app:
+ condition: service_healthy
\ No newline at end of file
From 669b5912b0428626f303c97a8cea6fa6aac5fe7d Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 19:44:37 +0200
Subject: [PATCH 3/9] Optimize Image Layers
Signed-off-by: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
---
Dockerfile | 17 +++++++++--------
docker/post-build-dev | 2 +-
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index dbe7bc4..4094da9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,6 +52,7 @@ RUN apk add --no-cache --virtual .build-deps \
# Install Xdebug at this step to make editing dev image cache-friendly, we delete xdebug from production image later
&& pecl install xdebug-${XDEBUG_VERSION} \
# Cleanup ---------------------------------------- \
+ && rm -r /tmp/pear; \
# - Detect Runtime Dependencies of the installed extensions. \
# - src: https://github.com/docker-library/wordpress/blob/master/latest/php8.0/fpm-alpine/Dockerfile \
out="$(php -r 'exit(0);')"; \
@@ -152,11 +153,10 @@ WORKDIR /app
COPY $APP_BASE_DIR/composer.json composer.json
COPY $APP_BASE_DIR/composer.lock composer.lock
-# Set PHP Version of the Image
-RUN composer config platform.php ${PHP_VERSION}
-
-# Install Dependeinces
-RUN composer install -n --no-progress --ignore-platform-reqs --no-dev --prefer-dist --no-scripts --no-autoloader
+ # Set PHP Version of the Image
+RUN composer config platform.php ${PHP_VERSION}; \
+ # Install Dependencies
+ composer install -n --no-progress --ignore-platform-reqs --no-dev --prefer-dist --no-scripts --no-autoloader
# ======================================================================================================================
# ============================================== PRODUCTION IMAGE ====================================================
@@ -216,15 +216,16 @@ RUN apk --no-cache add git openssh; \
# - in Linux, `172.17.0.1` is the host IP
ENV XDEBUG_CLIENT_HOST="host.docker.internal"
-# ---------------------------------------- ---------- Scripts ---------------------------------------------------------
+# ---------------------------------------------------- Scripts ---------------------------------------------------------
# Copy Dev Scripts
COPY docker/*-dev /usr/local/bin/
-RUN chmod +x /usr/local/bin/*-dev
+RUN chmod +x /usr/local/bin/*-dev; \
# ------------------------------------------------------ PHP -----------------------------------------------------------
-RUN mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini"
+ mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini" \
+
COPY docker/php/dev-* $PHP_INI_DIR/conf.d/
USER www-data
diff --git a/docker/post-build-dev b/docker/post-build-dev
index 9b1daac..7de4c81 100644
--- a/docker/post-build-dev
+++ b/docker/post-build-dev
@@ -7,4 +7,4 @@ echo "► Running Composer Install..."
composer install
echo "► Checking Platform Requirements"
-#composer check-platform-reqs
\ No newline at end of file
+composer check-platform-reqs
\ No newline at end of file
From b8c93ee9cc5c1bd535acff1b7f4040eb8d2eb66a Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 19:45:00 +0200
Subject: [PATCH 4/9] =?UTF-8?q?Add=20Linter=20and=20Auto=20Releaser=20+=20?=
=?UTF-8?q?Rename=20Default=20Branch=20=F0=9F=9A=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
---
.github/auto-release.yml | 80 +++++++++++++++++++++++++++
.github/workflows/auto-release.yml | 26 +++++++++
.github/workflows/build-test-scan.yml | 6 +-
.github/workflows/lint.yml | 32 +++++++++++
4 files changed, 141 insertions(+), 3 deletions(-)
create mode 100644 .github/auto-release.yml
create mode 100644 .github/workflows/auto-release.yml
create mode 100644 .github/workflows/lint.yml
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
new file mode 100644
index 0000000..c1f8916
--- /dev/null
+++ b/.github/auto-release.yml
@@ -0,0 +1,80 @@
+name-template: 'v$RESOLVED_VERSION 🌈'
+tag-template: 'v$RESOLVED_VERSION'
+version-template: '$MAJOR.$MINOR.$PATCH'
+version-resolver:
+ major:
+ labels:
+ - 'major'
+ minor:
+ labels:
+ - 'minor'
+ - 'enhancement'
+ - 'feature'
+ patch:
+ labels:
+ - 'auto-update'
+ - 'patch'
+ - 'fix'
+ - 'chore'
+ - 'bugfix'
+ - 'bug'
+ - 'hotfix'
+ default: 'patch'
+
+categories:
+ - title: '🚀 Enhancements'
+ labels:
+ - 'enhancement'
+ - 'feature'
+ - 'patch'
+ - title: '🐛 Bug Fixes'
+ labels:
+ - 'fix'
+ - 'bugfix'
+ - 'bug'
+ - 'hotfix'
+ - title: '🤖 Automatic Updates'
+ labels:
+ - 'auto-update'
+ - title: '📝 Documentation'
+ labels:
+ - 'chore'
+
+autolabeler:
+ - label: 'chore'
+ files:
+ - '*.md'
+ - label: 'enhancement'
+ title: '/enhancement/i'
+
+ - label: 'bugfix'
+ title: '/bugfix/i'
+
+ - label: 'bug'
+ title: '/🐛|🐞|fixes/i'
+
+ - label: 'auto-update'
+ title: '/🤖/i'
+
+ - label: 'feature'
+ title: '/🚀|🎉/i'
+
+change-template: |
+ <details>
+ <summary>$TITLE @$AUTHOR (#$NUMBER)</summary>
+
+ $BODY
+ </details>
+
+template: |
+ ## Changes
+
+ $CHANGES
+
+replacers:
+ # Remove irrelevant information from Renovate bot
+ - search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
+ replace: ''
+ # Remove Renovate bot banner image
+ - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
+ replace: ''
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
new file mode 100644
index 0000000..db6ab68
--- /dev/null
+++ b/.github/workflows/auto-release.yml
@@ -0,0 +1,26 @@
+name: auto-release
+
+on:
+ push:
+ # branches to consider in the event; optional, defaults to all
+ branches:
+ - main
+ # pull_request event is required only for autolabeler
+ pull_request:
+ # Only following types are handled by the action, but one can default to all as well
+ types: [ opened, reopened, synchronize ]
+
+jobs:
+ publish:
+ runs-on: ubuntu-latest
+ steps:
+ # Drafts your next Release notes as Pull Requests are merged into "main"
+ - uses: release-drafter/release-drafter@v5
+ with:
+ publish: false
+ prerelease: true
+ config-name: auto-release.yml
+ # allows autolabeler to run without unmerged PRs from being added to draft
+ disable-releaser: ${{ github.ref_name != 'main' }}
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/build-test-scan.yml b/.github/workflows/build-test-scan.yml
index cb2bfbe..7661e08 100644
--- a/.github/workflows/build-test-scan.yml
+++ b/.github/workflows/build-test-scan.yml
@@ -15,15 +15,15 @@ name: Build, Test, and Scan
on:
push:
- branches: [ php-8 ]
+ branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
- branches: [ master ]
+ branches: [ main ]
schedule:
- cron: '41 5 * * 5'
jobs:
- Build:
+ Build-Test-Scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..54e4ab3
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,32 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which checks out the code, builds a container
+# image using Docker and scans that image for vulnerabilities using
+# Snyk. The results are then uploaded to GitHub Security Code Scanning
+#
+# For more examples, including how to limit scans to only high-severity
+# issues, monitor images for newly disclosed vulnerabilities in Snyk and
+# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
+
+name: Lint
+
+on:
+ push:
+ branches: [ main ]
+ pull_request:
+ branches: [ main ]
+
+
+jobs:
+ Lint:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Hadolint Action
+ uses: hadolint/hadolint-action@v1.6.0
+ with:
+ dockerfile: Dockerfile
+ ignore: DL3018 SC2086 DL3019
From 1c934c595415eab919d926ee4558bc04328bd5ba Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 19:48:30 +0200
Subject: [PATCH 5/9] Add Checkout Step
Signed-off-by: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
---
.github/workflows/auto-release.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index db6ab68..f13471b 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -14,6 +14,7 @@ jobs:
publish:
runs-on: ubuntu-latest
steps:
+ - uses: actions/checkout@v2
# Drafts your next Release notes as Pull Requests are merged into "main"
- uses: release-drafter/release-drafter@v5
with:
From fd6950894dc78b9a7ddbc5e9bd45542bc7b977ce Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 19:51:42 +0200
Subject: [PATCH 6/9] Add App Base
Signed-off-by: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
---
.github/workflows/build-test-scan.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/.github/workflows/build-test-scan.yml b/.github/workflows/build-test-scan.yml
index 7661e08..a5aac1b 100644
--- a/.github/workflows/build-test-scan.yml
+++ b/.github/workflows/build-test-scan.yml
@@ -22,6 +22,9 @@ on:
schedule:
- cron: '41 5 * * 5'
+env:
+ APP_BASE_DIR: "./app"
+
jobs:
Build-Test-Scan:
runs-on: ubuntu-latest
From e62b2a8fcecf9d59054a6cb422d2fb3d1d81d004 Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 20:09:46 +0200
Subject: [PATCH 7/9] Fix CI
Signed-off-by: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
---
.github/workflows/build-test-scan.yml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/build-test-scan.yml b/.github/workflows/build-test-scan.yml
index a5aac1b..b4d59e1 100644
--- a/.github/workflows/build-test-scan.yml
+++ b/.github/workflows/build-test-scan.yml
@@ -47,12 +47,11 @@ jobs:
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
- # In order to use the Snyk Action you will need to have a Snyk API token.
- # More details in https://github.com/snyk/actions#getting-your-snyk-token
- # or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: kubephp_app:latest kubephp_web:latest
+ sarif: true
+ json: true
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
From 544bdd9b338abcf72c38eb927c6f3a4ebbbdb99a Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 20:19:38 +0200
Subject: [PATCH 8/9] Fix Snyk Scanning
Signed-off-by: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
---
.github/workflows/build-test-scan.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/.github/workflows/build-test-scan.yml b/.github/workflows/build-test-scan.yml
index b4d59e1..65f9712 100644
--- a/.github/workflows/build-test-scan.yml
+++ b/.github/workflows/build-test-scan.yml
@@ -50,8 +50,7 @@ jobs:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: kubephp_app:latest kubephp_web:latest
- sarif: true
- json: true
+ args: --file=Dockerfile --print-deps
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
From d2f551dcf7ab0402669b8210143f11ea2833a33d Mon Sep 17 00:00:00 2001
From: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
Date: Fri, 25 Feb 2022 20:24:38 +0200
Subject: [PATCH 9/9] Update README.md
Signed-off-by: Sherif Abdel-Naby <sherifabdlnaby@gmail.com>
---
README.md | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index ff656f0..0b6f059 100644
--- a/README.md
+++ b/README.md
@@ -9,10 +9,10 @@
<img src="https://img.shields.io/github/v/tag/sherifabdlnaby/kubephp?label=release&sort=semver">
</a>
<a>
- <img src="https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat" alt="contributions welcome">
+ <img src="https://github.com/sherifabdlnaby/kubephp/actions/workflows/build-test-scan.yml/badge.svg" alt="Build">
</a>
<a>
- <img src="https://img.shields.io/badge/PHP-%3E=7-blueviolet" alt="PHP >=7^">
+ <img src="https://img.shields.io/badge/PHP-%3E%3D7%5E%20%7C%20%3E%3D8%5E-%23777BB4?logo=php" alt="PHP >=7^ | >=8^ ">
</a>
<a href="https://github.com/sherifabdlnaby/kubephp/network">
<img src="https://img.shields.io/github/forks/sherifabdlnaby/kubephp.svg" alt="GitHub forks">
@@ -23,6 +23,9 @@
<a href="https://raw.githubusercontent.com/sherifabdlnaby/kubephp/blob/master/LICENSE">
<img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="GitHub license">
</a>
+ <a>
+ <img src="https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat" alt="contributions welcome">
+ </a>
</p>
# Introduction