dhi helper image

Tob1as · Tob1as · commit b3552bf52df6 · 2026-02-01T01:14:58.000+01:00
diff --git a/.github/workflows/build_docker-dhi_helper.yml b/.github/workflows/build_docker-dhi_helper.yml
@@ -0,0 +1,202 @@
+name: 'docker: DHI + Helper'
+
+on:
+  #push:
+  #  branches:
+  #    - 'main'
+  #    - 'master'
+  #  paths:
+  #    - 'dhi.helper.Dockerfile'
+  #    - '.github/workflows/build_docker-dhi_helper.yml'
+  workflow_dispatch:
+  schedule:
+    - cron: '45 2 25 * *'  # At 02:45 on day-of-month 25.
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+
+  # --------------------------------------------------
+  # JOB: PREPARE (Variables)
+  # --------------------------------------------------
+  prepare:
+    name: Prepare build variables
+    runs-on: ubuntu-latest
+
+    steps:
+      #- name: Checkout
+      #  uses: actions/checkout@v6
+
+      - name: Generate build variables
+        id: vars
+        shell: bash
+        run: |
+          BUILD_DATE="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+          BUILD_DATE_NUMERIC="${BUILD_DATE//[^[:digit:]]/}"
+          #COMMIT_HASH=$(git rev-parse --short "$GITHUB_SHA")
+          COMMIT_HASH=${GITHUB_SHA::7}
+          GIT_URL=$(echo "${GITHUB_SERVER_URL}" | awk -F/ '{print $3}' | sed 's/\/*$//')
+          GIT_URL=$(echo "$GIT_URL" | sed 's/github\.com/ghcr\.io/g')   # GIT_URL switch to ghcr.io registry for GitHub
+          GIT_REPO=${GITHUB_REPOSITORY,,}
+          GIT_REPO_SHORT=${GIT_REPO#*/}
+          GIT_REPO_SHORT=${GIT_REPO_SHORT#"docker-"}
+          DOCKER_REPO=${{ vars.DOCKER_USERNAME }}/${GIT_REPO_SHORT}
+          REDHAT_QUAY_REPO=${{ vars.REDHAT_QUAY_USERNAME }}/${GIT_REPO_SHORT}
+
+          #echo "ENVs: BUILD_DATE=${BUILD_DATE}, BUILD_DATE_NUMERIC=${BUILD_DATE_NUMERIC}, COMMIT_HASH=${COMMIT_HASH}, GIT_URL=${GIT_URL}, GIT_REPO=${GIT_REPO}, DOCKER_REPO=${DOCKER_REPO}, REDHAT_QUAY_REPO=${REDHAT_QUAY_REPO}"
+          
+          # Set output parameters to action.
+          echo "build_date=${BUILD_DATE}" >> "$GITHUB_OUTPUT"
+          echo "build_date_numeric=${BUILD_DATE_NUMERIC}" >> "$GITHUB_OUTPUT"
+          echo "commit_hash=${COMMIT_HASH}" >> "$GITHUB_OUTPUT"
+          echo "git_url=${GIT_URL}" >> "$GITHUB_OUTPUT"
+          echo "git_repo=${GIT_REPO}" >> "$GITHUB_OUTPUT"
+          echo "git_repo_short=${GIT_REPO_SHORT}" >> "$GITHUB_OUTPUT"
+          echo "docker_repo=${DOCKER_REPO}" >> "$GITHUB_OUTPUT"
+          echo "redhat_quay_repo=${REDHAT_QUAY_REPO}" >> "$GITHUB_OUTPUT"
+
+    outputs:
+      build_date: ${{ steps.vars.outputs.build_date }}
+      build_date_numeric: ${{ steps.vars.outputs.build_date_numeric }}
+      commit_hash: ${{ steps.vars.outputs.commit_hash }}
+      git_url: ${{ steps.vars.outputs.git_url }}
+      git_repo: ${{ steps.vars.outputs.git_repo }}
+      git_repo_short: ${{ steps.vars.outputs.git_repo_short }}
+      docker_repo: ${{ steps.vars.outputs.docker_repo }}
+      quay_repo: ${{ steps.vars.outputs.redhat_quay_repo }}
+
+
+  # --------------------------------------------------
+  # JOB: DHI Alpine Helper
+  # --------------------------------------------------
+  build-dhi-helper-alpine:
+    name: Build DHI Helper (Alpine)
+    runs-on: ubuntu-latest
+    needs: prepare
+
+    env:
+      BUILD_DATE: ${{ needs.prepare.outputs.build_date }}
+      BUILD_DATE_NUMERIC: ${{ needs.prepare.outputs.build_date_numeric}}
+      COMMIT_HASH: ${{ needs.prepare.outputs.commit_hash }}
+      GIT_URL: ${{ needs.prepare.outputs.git_url }}
+      GIT_REPO: ${{ needs.prepare.outputs.git_repo }}
+      GIT_REPO_SHORT: ${{ needs.prepare.outputs.git_repo_short }}
+      DOCKER_REPO: ${{ needs.prepare.outputs.docker_repo }}
+      QUAY_REPO: ${{ needs.prepare.outputs.quay_repo }}
+      PHP_VERSION: ${{ matrix.php }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Debug Variables
+        run: |
+          echo "BUILD_DATE=${BUILD_DATE}"
+          echo "BUILD_DATE_NUMERIC=${BUILD_DATE_NUMERIC}"
+          echo "COMMIT_HASH=${COMMIT_HASH}"
+          echo "GIT_URL=${GIT_URL}"
+          echo "GIT_REPO=${GIT_REPO}"
+          echo "GIT_REPO_SHORT=${GIT_REPO_SHORT}"
+          echo "DOCKER_REPO=${DOCKER_REPO}"
+          echo "QUAY_REPO=${QUAY_REPO}"
+
+      - name: Execute Docker Setup
+        id: docker-setup
+        uses: ./.github/actions/docker-setup
+        #uses: tob1as/docker-build-example/.github/actions/docker-setup@main
+        with:
+          git_url: ${{ env.GIT_URL }}
+          git_username: ${{ github.repository_owner }}
+          git_token: ${{ secrets.GITHUB_TOKEN }}
+          docker_username: ${{ vars.DOCKER_USERNAME }}
+          docker_password: ${{ secrets.DOCKER_PASSWORD }}
+          quay_username: ${{ vars.REDHAT_QUAY_USERNAME }}
+          quay_password: ${{ secrets.REDHAT_QUAY_PASSWORD }}
+
+      - name: Build
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.docker-setup.outputs.builder_name }}
+          context: .
+          file: ./dhi.helper.Dockerfile
+          platforms: linux/amd64,linux/arm64
+          pull: true
+          push: true
+          target: production-alpine
+          build-args: |
+            BUILD_DATE=${{ env.BUILD_DATE }}
+            VCS_REF=${{ env.COMMIT_HASH }}
+          tags: |
+            docker.io/${{env.DOCKER_REPO}}:${{env.PHP_VERSION}}-dhi-helper-alpine
+            docker.io/${{env.DOCKER_REPO}}:${{env.PHP_VERSION}}-dhi-helper-alpine-${{env.COMMIT_HASH}}
+          #  ${{env.GIT_URL}}/${{env.GIT_REPO}}:${{env.PHP_VERSION}}-dhi-helper-alpine
+          #  quay.io/${{env.QUAY_REPO}}:${{env.PHP_VERSION}}-dhi-helper-alpine
+
+
+  # --------------------------------------------------
+  # JOB: DHI Debian Helper
+  # --------------------------------------------------
+  build-dhi-helper-debian:
+    name: Build DHI Helper (Debian)
+    runs-on: ubuntu-latest
+    needs: prepare
+
+    env:
+      BUILD_DATE: ${{ needs.prepare.outputs.build_date }}
+      BUILD_DATE_NUMERIC: ${{ needs.prepare.outputs.build_date_numeric}}
+      COMMIT_HASH: ${{ needs.prepare.outputs.commit_hash }}
+      GIT_URL: ${{ needs.prepare.outputs.git_url }}
+      GIT_REPO: ${{ needs.prepare.outputs.git_repo }}
+      GIT_REPO_SHORT: ${{ needs.prepare.outputs.git_repo_short }}
+      DOCKER_REPO: ${{ needs.prepare.outputs.docker_repo }}
+      QUAY_REPO: ${{ needs.prepare.outputs.quay_repo }}
+      PHP_VERSION: ${{ matrix.php }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Debug Variables
+        run: |
+          echo "BUILD_DATE=${BUILD_DATE}"
+          echo "BUILD_DATE_NUMERIC=${BUILD_DATE_NUMERIC}"
+          echo "COMMIT_HASH=${COMMIT_HASH}"
+          echo "GIT_URL=${GIT_URL}"
+          echo "GIT_REPO=${GIT_REPO}"
+          echo "GIT_REPO_SHORT=${GIT_REPO_SHORT}"
+          echo "DOCKER_REPO=${DOCKER_REPO}"
+          echo "QUAY_REPO=${QUAY_REPO}"
+
+      - name: Execute Docker Setup
+        id: docker-setup
+        uses: ./.github/actions/docker-setup
+        #uses: tob1as/docker-build-example/.github/actions/docker-setup@main
+        with:
+          git_url: ${{ env.GIT_URL }}
+          git_username: ${{ github.repository_owner }}
+          git_token: ${{ secrets.GITHUB_TOKEN }}
+          docker_username: ${{ vars.DOCKER_USERNAME }}
+          docker_password: ${{ secrets.DOCKER_PASSWORD }}
+          quay_username: ${{ vars.REDHAT_QUAY_USERNAME }}
+          quay_password: ${{ secrets.REDHAT_QUAY_PASSWORD }}
+
+      - name: Build
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.docker-setup.outputs.builder_name }}
+          context: .
+          file: ./dhi.helper.Dockerfile
+          platforms: linux/amd64,linux/arm64
+          pull: true
+          push: true
+          target: production-debian
+          build-args: |
+            BUILD_DATE=${{ env.BUILD_DATE }}
+            VCS_REF=${{ env.COMMIT_HASH }}
+          tags: |
+            docker.io/${{env.DOCKER_REPO}}:${{env.PHP_VERSION}}-dhi-helper-debian
+            docker.io/${{env.DOCKER_REPO}}:${{env.PHP_VERSION}}-dhi-helper-debian-${{env.COMMIT_HASH}}
+          #  ${{env.GIT_URL}}/${{env.GIT_REPO}}:${{env.PHP_VERSION}}-dhi-helper-debian
+          #  quay.io/${{env.QUAY_REPO}}:${{env.PHP_VERSION}}-dhi-helper-debian
diff --git a/dhi.helper.Dockerfile b/dhi.helper.Dockerfile
@@ -0,0 +1,106 @@
+# build: docker build --no-cache --progress=plain --target=production-alpine -t docker.io/tobi312/php:dhi-helper-alpine -f dhi.helper.Dockerfile .
+ARG ALPINE_OS_VERSION=3.23
+ARG DEBIAN_OS_VERSION=trixie
+FROM dhi.io/alpine-base:${ALPINE_OS_VERSION}-dev AS dev-alpine
+
+SHELL ["/bin/sh", "-o", "pipefail", "-c"]
+
+COPY <<'EOF' /usr/local/bin/php-fpm-healthcheck.sh
+#!/bin/sh
+# required: fcgi (alpine) or libfcgi-bin (debian)
+: "${PHP_FPM_STATUS_HOST:="127.0.0.1"}"       # set host
+: "${PHP_FPM_STATUS_PORT:="9001"}"            # PHP-FPM Status/Ping Port (default: 9000, but here use 9001)
+: "${PHP_FPM_PING_PATH:="/php_fpm_ping"}"     # (default: /ping, but here use /php_fpm_ping)
+echo ">> FCGI Settings: Host=${PHP_FPM_STATUS_HOST}, Port=${PHP_FPM_STATUS_PORT}, Path=${PHP_FPM_PING_PATH}"
+SCRIPT_NAME="${PHP_FPM_PING_PATH}" SCRIPT_FILENAME="${PHP_FPM_PING_PATH}" REQUEST_METHOD=GET cgi-fcgi -bind -connect "${PHP_FPM_PING_HOST}:${PHP_FPM_STATUS_PORT}" >/dev/null 2>&1
+echo $?
+EOF
+
+RUN chmod +x /usr/local/bin/*.sh
+
+
+FROM dev-alpine AS builder-alpine
+
+SHELL ["/bin/sh", "-o", "pipefail", "-c"]
+
+WORKDIR /tmp
+
+ENV PACKAGE_LIST_CURL=""
+ENV PACKAGE_LIST_NANO=""
+ENV PACKAGE_LIST_DB=""
+# example package extractor: https://github.com/Tob1as/docker-php/blob/master/dhi.alpine.fpm.wsc.Dockerfile#L131
+# List of packages for download separated by spaces.
+ENV PACKAGE_LIST_CURL="curl libcurl zlib c-ares nghttp3 nghttp2-libs libidn2 libpsl libssl3 libcrypto3 zstd-libs brotli-libs libunistring"
+#ENV PACKAGE_LIST_NANO="nano libncursesw ncurses-terminfo-base"
+#ENV PACKAGE_LIST_DB="mysql-client mariadb-client mariadb-backup libstdc++ libgcc"
+ENV PACKAGE_LIST="fcgi unzip ${PACKAGE_LIST_CURL} ${PACKAGE_LIST_NANO} ${PACKAGE_LIST_DB}"
+# hadolint ignore=DL3008,DL3015,SC2086
+RUN \
+    #apk fetch --no-cache --recursive $PACKAGE_LIST && \
+    apk fetch --no-cache $PACKAGE_LIST && \
+    mkdir -p /apkroot && \
+    for pkg in *.apk; do \
+        tar -xzf "$pkg" -C /apkroot; \
+    done && \
+    echo "Packages have been processed !"
+# List directory and file structure
+#RUN tree /apkroot
+
+COPY --from=dev-alpine /usr/local/bin/php-fpm-healthcheck.sh /apkroot/usr/local/bin/php-fpm-healthcheck.sh
+
+RUN tree /apkroot
+
+
+FROM dhi.io/alpine-base:${ALPINE_OS_VERSION} AS production-alpine
+ARG BUILD_PHP_VERSION
+ARG VCS_REF
+ARG BUILD_DATE
+#ENV TERM=xterm
+LABEL org.opencontainers.image.authors="Tobias Hargesheimer <docker@ison.ws>" \
+      org.opencontainers.image.title="Helper tools (dhi alpine)" \
+      org.opencontainers.image.description="DHI (Docker Hardened Images): Helper tools on Alpine" \
+      org.opencontainers.image.created="${BUILD_DATE}" \
+      org.opencontainers.image.revision="${VCS_REF}" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.url="https://hub.docker.com/r/tobi312/php" \
+      org.opencontainers.image.source="https://github.com/Tob1as/docker-php"
+# Copy the libraries from the extractor/dev stage into root
+COPY --from=builder-alpine /apkroot /
+WORKDIR /tmp
+#USER nonroot
+CMD [ "tail", "-f", "/dev/null" ]
+
+
+FROM dhi.io/debian-base:${DEBIAN_OS_VERSION} AS production-debian
+ARG BUILD_PHP_VERSION
+ARG VCS_REF
+ARG BUILD_DATE
+#ENV TERM=xterm
+LABEL org.opencontainers.image.authors="Tobias Hargesheimer <docker@ison.ws>" \
+      org.opencontainers.image.title="Helper tools (dhi debian)" \
+      org.opencontainers.image.description="DHI (Docker Hardened Images): Helper tools on Debian" \
+      org.opencontainers.image.created="${BUILD_DATE}" \
+      org.opencontainers.image.revision="${VCS_REF}" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.url="https://hub.docker.com/r/tobi312/php" \
+      org.opencontainers.image.source="https://github.com/Tob1as/docker-php"
+
+#USER root
+
+RUN apt-get update && \
+    apt-get install -y \
+        libfcgi-bin \
+        unzip \
+        curl \
+        wget \
+        netcat-openbsd \
+        #nano \
+        #mariadb-client \
+    && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=dev-alpine /usr/local/bin/php-fpm-healthcheck.sh /usr/local/bin/php-fpm-healthcheck.sh
+
+WORKDIR /tmp
+USER nonroot
+CMD [ "tail", "-f", "/dev/null" ]
