codedmonkey
diff --git a/‎.github/workflows/docker-build.yaml‎
Lines changed: 0 additions & 22 deletions b/‎.github/workflows/docker-build.yaml‎
Lines changed: 0 additions & 22 deletions
diff --git a/‎.github/workflows/images-build.yaml‎
Lines changed: 31 additions & 0 deletions b/‎.github/workflows/images-build.yaml‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎.github/workflows/docker-publish.yaml‎ ‎.github/workflows/images-publish.yaml‎.github/workflows/docker-publish.yaml renamed to .github/workflows/images-publish.yaml
Lines changed: 19 additions & 22 deletions b/‎.github/workflows/docker-publish.yaml‎ ‎.github/workflows/images-publish.yaml‎.github/workflows/docker-publish.yaml renamed to .github/workflows/images-publish.yaml
Lines changed: 19 additions & 22 deletions
diff --git a/‎.github/workflows/linting-dependencies.yaml‎
Lines changed: 57 additions & 0 deletions b/‎.github/workflows/linting-dependencies.yaml‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎.github/workflows/lint.yaml‎ ‎.github/workflows/linting.yaml‎.github/workflows/lint.yaml renamed to .github/workflows/linting.yaml
Lines changed: 35 additions & 52 deletions b/‎.github/workflows/lint.yaml‎ ‎.github/workflows/linting.yaml‎.github/workflows/lint.yaml renamed to .github/workflows/linting.yaml
Lines changed: 35 additions & 52 deletions
@@ -0,0 +1,31 @@
+name: Build images
+
+# Verifies whether the build of the images is valid. It does not publish the
+# image to a registry. It's triggered by new commits and a daily schedule for
+# the default branch. If any of the jobs fail for new commits they're not
+# allowed to be merged into the default branch. If it starts failing because of
+# changes to dependencies of the build process, it must be fixed before new
+# features are merged to ensure integrity.
+
+on:
+  pull_request:
+  push:
+  schedule:
+    - cron: "30 4 * * *"
+
+jobs:
+  build-standalone:
+    name: Standalone images
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container
+
+      - name: Build images
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
@@ -1,31 +1,31 @@
-name: Publish image
+name: Publish images
+
+# Builds and publishes the images to the GitHub registry. There are 2 triggers
+# for this workflow, a scheduled trigger to publish the latest development
+# version (the default branch) every night, and a trigger for tags formatted
+# as a semver version to publish releases. For any other image, it's
+# recommended to download the source code and build it locally as explained in
+# the documentation.
 
 on:
   push:
-    tags:
-      - v*
+    tags: ["v*.*.*"]
   schedule:
-    -
-      cron:  "30 4 * * *"
+    - cron:  "30 4 * * *"
 
 jobs:
-  publish-image:
-    name: Publish Docker image
+  publish-standalone:
+    name: Standalone images
+
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-      packages: write
-      attestations: write
+
     steps:
-      -
-        name: Set up Docker Buildx
+      - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           driver: docker-container
 
-      -
-        name: Extract metadata for Docker
+      - name: Extract metadata for Docker
         id: meta
         uses: docker/metadata-action@v5
         with:
@@ -35,16 +35,14 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
-      -
-        name: Login to GitHub Packages
+      - name: Login to GitHub Packages
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      -
-        name: Build and push Docker image
+      - name: Build and publish images
         id: push
         uses: docker/build-push-action@v6
         with:
@@ -53,8 +51,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
 
-      -
-        name: Generate artifact attestation
+      - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v2
         with:
           subject-name: ghcr.io/${{ github.repository }}
 
@@ -0,0 +1,57 @@
+name: Lint dependencies
+
+# Runs tools to validate dependencies. This workflow is triggered for new
+# commits and every night for the default branch. If any of the jobs fail for
+# new commits they're not allowed to be merged into the default branch. If it
+# starts failing because of vulnerabilities, they must be fixed before new
+# features are merged and a security release must be made.
+
+on:
+  pull_request:
+  push:
+  schedule:
+    - cron:  "30 4 * * *"
+
+jobs:
+  composer:
+    name: Composer
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install PHP with extensions
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.3
+          tools: composer:v2
+
+      - name: Set Composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: Cache Composer output
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install Composer dependencies
+        id: composer-install
+        run: composer install --ansi --no-interaction --no-progress
+
+      - name: Check if any Composer dependencies are compromised
+        if: always() && steps.composer-install.outcome == 'success'
+        run: composer audit --ansi
+
+      # This check always shows a success state, even when there are
+      # outdated recipes (due to `continue-on-error`). Please check
+      # the result when updating Composer dependencies.
+      # todo fail when composer.lock changed and there is an outdated recipe
+      - name: Check if any Symfony Flex recipes are outdated
+        if: always() && steps.composer-install.outcome == 'success'
+        continue-on-error: true
+        run: composer recipes --outdated --ansi
@@ -1,18 +1,15 @@
 name: Lint code & configuration
 
-on:
-  pull_request:
-  push:
+# Runs tools to lint and validate the code and configuration. Only triggered by
+# creating new commits. If any of the jobs fail for new commits they're not
+# allowed to be merged into the default branch.
 
-env:
-  fail-fast: true
-
-permissions:
-  contents: read
+on: [pull_request, push]
 
 jobs:
   linters:
     name: Linters
+
     runs-on: ubuntu-latest
 
     steps:
@@ -22,8 +19,6 @@ jobs:
       - name: Install PHP with extensions
         uses: shivammathur/setup-php@v2
         with:
-          coverage: none
-          extensions: intl
           php-version: 8.3
           tools: composer:v2
 
@@ -38,56 +33,48 @@ jobs:
           key: ${{ runner.os }}-composer-${{ hashFiles('composer.lock') }}
           restore-keys: ${{ runner.os }}-composer-
 
-      - name: Install dependencies
-        id: install
+      - name: Install Composer dependencies
+        id: composer-install
         run: composer install --ansi --no-interaction --no-progress
 
-      - name: Lint YAML files
-        if: always() && steps.install.outcome == 'success'
-        run: bin/console lint:yaml .github config translations --parse-tags
-
-      - name: Lint Twig templates
-        if: always() && steps.install.outcome == 'success'
-        run: bin/console lint:twig templates --env=prod
-
-      #- name: Lint XLIFF translation files
-      #  if: always() && steps.install.outcome == 'success'
-      #  run: bin/console lint:xliff translations
+      - name: Lint Composer configuration
+        if: always() && steps.composer-install.outcome == 'success'
+        run: composer validate --ansi
+        # todo enable strict mode, currently license is invalid
+        # run: composer validate --strict --ansi
 
-      #- name: Lint translation contents
-      #  if: always() && steps.install.outcome == 'success'
-      #  run: bin/console lint:translations
+      - name: Lint Symfony service container
+        if: always() && steps.composer-install.outcome == 'success'
+        run: bin/console lint:container --ansi
 
-      - name: Lint Parameters and Services
-        if: always() && steps.install.outcome == 'success'
-        run: bin/console lint:container --no-debug
+      - name: Lint translation files
+        if: always() && steps.composer-install.outcome == 'success'
+        run: bin/console lint:translations --ansi
 
-      - name: Lint Composer config
-        if: always() && steps.install.outcome == 'success'
-        run: composer validate
-        # todo enable strict mode, currently license is invalid
-        # run: composer validate --strict
+      - name: Lint Twig templates
+        if: always() && steps.composer-install.outcome == 'success'
+        run: bin/console lint:twig templates --ansi
 
-      - name: Check if any dependencies are compromised
-        if: always() && steps.install.outcome == 'success'
-        run: composer audit
+      - name: Lint YAML files
+        if: always() && steps.composer-install.outcome == 'success'
+        run: bin/console lint:yaml .github config translations --parse-tags --ansi
 
-      - name: Check if any Symfony recipes are outdated
-        if: always() && steps.install.outcome == 'success'
-        run: composer recipes --outdated --no-interaction
+      #- name: Lint XLIFF translation files
+      #  if: always() && steps.composer-install.outcome == 'success'
+      #  run: bin/console lint:xliff translations --ansi
 
   php-cs-fixer:
     name: PHP-CS-Fixer
+
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Install PHP with extensions
         uses: shivammathur/setup-php@v2
         with:
-          coverage: none
-          extensions: intl
           php-version: 8.3
           tools: composer:v2
 
@@ -102,15 +89,15 @@ jobs:
           key: ${{ runner.os }}-composer-${{ hashFiles('composer.lock') }}
           restore-keys: ${{ runner.os }}-composer-
 
-      - name: Install dependencies
-        id: install
+      - name: Install Composer dependencies
         run: composer install --ansi --no-interaction --no-progress
 
-      - name: PHP-CS-Fixer
-        run: ./vendor/bin/php-cs-fixer fix --diff --dry-run
+      - name: Run PHP-CS-Fixer
+        run: vendor/bin/php-cs-fixer fix --diff --dry-run --ansi --show-progress none
 
   phpstan:
     name: PHPStan
+
     runs-on: ubuntu-latest
 
     steps:
@@ -120,8 +107,6 @@ jobs:
       - name: Install PHP with extensions
         uses: shivammathur/setup-php@v2
         with:
-          coverage: none
-          extensions: intl
           php-version: 8.3
           tools: composer:v2
 
@@ -136,10 +121,8 @@ jobs:
           key: ${{ runner.os }}-composer-${{ hashFiles('composer.lock') }}
           restore-keys: ${{ runner.os }}-composer-
 
-      - name: Install dependencies
-        id: install
+      - name: Install Composer dependencies
         run: composer install --ansi --no-interaction --no-progress
 
       - name: Run PHPStan
-        if: always() && steps.install.outcome == 'success'
-        run: ./vendor/bin/phpstan analyze
+        run: vendor/bin/phpstan analyze --ansi --no-progress