Conversation
added 30 commits
March 14, 2025 13:52
…metrics combination step
…tforms fixed for toml
…erence in Docker image workflow
…stallation, and enhance security with non-root user
…n for Debian and Alpine
…r Debian bullseye
…g generation for bookworm images
added 12 commits
March 15, 2025 23:07
…it version dependant
… tips for Docker images
…s and correct PHP version variable usage
…s for S6 overlay, while removing unused fix-attrs.d directory
…ssions management
…and add build arguments
Owner
Author
|
I have been informed that these changes are too big..... and I shouldn't merge this., ....but since no one else is here I am typing this comment to the void.... :) |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR modernizes the PHP container setup by refactoring service scripts to use /bin/sh, implementing a multi-stage Docker build with BuildKit caching, consolidating PHP extension installs, integrating the S6 overlay init system, and adding a reusable GitHub Action for multi-platform Docker builds.
- Switch service scripts to
shand add init/finish hooks for PHP modes. - Refactor Dockerfile into builder/production stages, use cache mounts, group extension installs, and integrate S6 overlay.
- Add a composite GitHub Action to set up QEMU and Buildx for multi-arch builds.
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| s6-overlay/services.d/php/run | Switch to /bin/sh, detect PHP_TYPE, and start PHP in modes. |
| s6-overlay/services.d/php/finish | Add finish script to log exit code and shut down container on errors. |
| s6-overlay/fix-attrs.d/01-php-dirs | Define directory permissions for PHP runtime files. |
| s6-overlay/cont-init.d/10-php-config | Generate PHP .ini settings from environment variables. |
| Dockerfile | Refactor to multi-stage build, use BuildKit cache, group installs, and add S6 overlay. |
| .github/docker-setup/action.yml | Composite Action to configure QEMU and Buildx for multi-architecture builds. |
| # For CLI, we just execute a long-running command or wait | ||
| # This is typically handled by the CMD instruction and not S6 | ||
| echo "Running in CLI mode - service management handled by CMD" | ||
| sleep infinity |
There was a problem hiding this comment.
The sleep infinity command isn't POSIX and may not be supported by /bin/sh (e.g., BusyBox). Consider using tail -f /dev/null or sleep 2147483647 for compatibility.
Suggested change
| sleep infinity | |
| tail -f /dev/null |
| rm -rf /var/lib/apt/lists/*; \ | ||
| elif [ "$BASEOS" = "bookworm" ]; then \ | ||
| # Install dependencies based on the base OS with BuildKit cache mounts | ||
| RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ |
There was a problem hiding this comment.
Support for Debian Bullseye was removed in this refactor; the if [ "$BASEOS" = "bookworm" ] branch no longer handles bullseye. If you still need Bullseye, add a dedicated condition.
| @@ -55,8 +72,165 @@ RUN case $(uname -m) in \ | |||
| IPE_GD_WITHOUTAVIF=1 install-php-extensions gd; \ | |||
| ;; \ | |||
| *) \ | |||
| install-php-extensions gd; \ | |||
There was a problem hiding this comment.
[nitpick] The gd extension is installed in both the architecture-specific and default branches. You can simplify this by moving install-php-extensions gd outside the case.
Comment on lines
+103
to
+105
| tar -C / -Jxpf s6-overlay-noarch.tar.xz && \ | ||
| tar -C / -Jxpf s6-overlay-${S6_ARCH}.tar.xz && \ | ||
| rm s6-overlay-noarch.tar.xz s6-overlay-${S6_ARCH}.tar.xz; \ |
There was a problem hiding this comment.
Downloading S6 overlay without checksum verification can lead to supply-chain risks. Consider verifying the archive integrity (e.g., using sha256sum) before extraction.
Suggested change
| tar -C / -Jxpf s6-overlay-noarch.tar.xz && \ | |
| tar -C / -Jxpf s6-overlay-${S6_ARCH}.tar.xz && \ | |
| rm s6-overlay-noarch.tar.xz s6-overlay-${S6_ARCH}.tar.xz; \ | |
| wget -q https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz.sha256 && \ | |
| wget -q https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz.sha256 && \ | |
| echo "$(cat s6-overlay-noarch.tar.xz.sha256)" | sha256sum -c - && \ | |
| echo "$(cat s6-overlay-${S6_ARCH}.tar.xz.sha256)" | sha256sum -c - && \ | |
| tar -C / -Jxpf s6-overlay-noarch.tar.xz && \ | |
| tar -C / -Jxpf s6-overlay-${S6_ARCH}.tar.xz && \ | |
| rm s6-overlay-noarch.tar.xz s6-overlay-${S6_ARCH}.tar.xz s6-overlay-noarch.tar.xz.sha256 s6-overlay-${S6_ARCH}.tar.xz.sha256; \ |
added 13 commits
October 19, 2025 15:56
…xtensions - Introduce Dockerfile.v1 with ARGs for VERSION, PHPVERSION and BASEOS - Install packages for debian (bullseye/bookworm) and alpine variants - Add image tooling (ghostscript, imagemagick, optipng, gifsicle, pngcrush, jpegoptim, pngquant, webp, etc.) - Install install-php-extensions and a wide set of PHP extensions - Conditional imagick install (handles PHP 8.3) and GD install with AV1 disabled on armv7 - Enable Apache rewrite (if available) and set WORKDIR to /var/www/html
…sions, s6-overlay and non-root user - Add builder stage with BuildKit cache mounts to install OS-specific packages (bookworm/alpine) - Install php extension installer and a broad set of extensions (grouped categories) including composer - Conditionally add mcrypt by PHP version and configure GD per architecture - Add production stage that copies built /usr/local, installs s6-overlay for TARGETARCH, and required runtime libraries by BASEOS - Create non-root appuser, set working dir and permissions, expose PHP-related environment defaults - Copy S6 service scripts, normalize line endings with dos2unix, set ENTRYPOINT to /init and default CMD
- Supports building v1, v2, or both variants with a single command
- Auto-appends -v2 suffix for v2 builds
- Usage: ./test-build.sh {v1|v2|both} <tag>
- Example: ./test-build.sh both 8.3-fpm-alpine
…ocker build - Extract PHP version, variant (fpm/cli), and base OS from tag - Pass extracted values as build arguments to both v1 and v2 builds - Fixes "invalid reference format" error when building images
- Set DOCKER_BUILDKIT=1 when building v2 images - v2 Dockerfile uses BuildKit features like --mount=type=cache - v1 continues to use legacy builder for compatibility
- Add workflow to build and push v1 PHP images using a php-version/php-type/php-base-os matrix - Set up QEMU and Buildx for multi-arch builds, use GHA cache scopes and pass build args (VERSION, PHPVERSION, BASEOS) - Login to DockerHub, ghcr.io and Quay; push images to all three registries - Run Trivy image scan and upload SARIF results to GitHub Security
Introduce .github/workflows/docker-image.v2.yml to provide a full CI pipeline: - Matrix-driven builds for PHP versions, types (cli/fpm/apache) and base OS (bookworm/alpine) with exclusions - Setup qemu and docker buildx (BuildKit) with resource limits and cache configuration - Test stage: build/load test image, run version/extension/functional validations and advanced PHP checks - Skip builds when Dockerfile is unchanged; build & push multi-arch images and PR preview images - Create additional tag manifests for registries and save image tags for scanning - Run Trivy scans and upload SARIF results; collect and upload build timing metrics and combined metrics artifact
- Single workflow builds both Dockerfile.v1 and Dockerfile.v2 in parallel - Build and test on all branches/PRs (no registry push) - Publish multi-arch images only from main branch - Includes smoke tests: PHP version, extensions, s6-overlay (v2), FPM checks - Uses BuildKit caching scoped by variant for optimal performance - Tags: v1 uses standard tags, v2 appends -v2 suffix - Publishes to DockerHub, GHCR, and Quay.io registries - Includes Trivy security scanning on published images
…v1/v2 Comment out schedule, push and pull_request triggers so workflows run via manual workflow_dispatch. Also disable the PR preview image build in v2 (commented) since the pipeline is intended for manual/controlled runs.
- Add basic PHP CLI execution test (SAPI check) - Add entrypoint/init quick-run test - Add directory permissions check (/tmp, /var/www) - Improve error messages with container logs on failure - Add exit code validation for all tests - Enhance v2 s6-overlay checks (services directory validation) - Add proper error handling and detailed failure reporting - Use conditional checks for variant-specific tests - Add timeouts and buffer for CI runner variations
…oting guides - Update README with clear v1 vs v2 comparison section - Add "Which image should I use?" decision guide at top - Update tag format documentation and Available Tags table - Add registry information section - Update image size table to show v1/v2 sizes - Add links to detailed documentation - Simplify troubleshooting section with links to docs New documentation files: - docs/migration.md: Complete v1 to v2 migration guide - docs/troubleshooting.md: Common issues and solutions - docs/local-build.md: Local development and test-build.sh usage - docs/ci.md: CI/CD pipeline and publishing documentation Changes keep README concise while providing comprehensive documentation for contributors and users migrating between variants.
- Add schedule trigger: weekly on Tuesday at 3:00 AM UTC - Update publish job condition to run on schedule events (in addition to push) - Schedule only triggers on main branch (publish job already gated to main) - build-and-test runs for all triggers; publish only on main push/schedule
…nings - Add default VERSION=8.3-cli-alpine to both Dockerfile.v1 and Dockerfile.v2 - Resolves InvalidDefaultArgInFrom warnings from BuildKit dockerfile linter - Default is only used when no build-arg is provided (never in CI) - CI always passes VERSION via --build-arg, so behavior unchanged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
cleanup and modernize