Skip to content

added debian image variant #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fabriciojs merged 16 commits into from
Jan 26, 2026
Merged

added debian image variant #122

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
24e5b23
added debian image variant
fabriciojs Jan 25, 2026
ca9d996
fix debian supervisor
fabriciojs Jan 25, 2026
e0dfd74
change base to stable debian bookworm
fabriciojs Jan 25, 2026
5684e0e
Review Changes
dbpolito Jan 25, 2026
e0edb16
Merge branch 'master' into debian
fabriciojs Jan 25, 2026
3c892f9
update ci-cd fix sequence issue
fabriciojs Jan 25, 2026
23db27d
attempt to fix local img just built usage
fabriciojs Jan 25, 2026
0ac22cb
test local build
fabriciojs Jan 25, 2026
d309f6d
Merge branch 'master' of github.com:kool-dev/docker-php into debian
fabriciojs Jan 25, 2026
e3d9a35
refactor(ci): implement local build and test workflow (US-001)
fabriciojs Jan 25, 2026
b07079a
update docs
fabriciojs Jan 25, 2026
4db4d2e
feat(ci): add multi-arch push jobs with dependency order (US-002)
fabriciojs Jan 25, 2026
c640fe4
docs: mark US-003 Alpine image builds as completed
fabriciojs Jan 25, 2026
871dbf6
docs: mark US-004 Debian image builds as completed
fabriciojs Jan 25, 2026
2c032cb
feat(ci): add downstream repository triggers (US-005)
fabriciojs Jan 25, 2026
4c8fca9
consolidate single supervidord config
fabriciojs Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
223 changes: 216 additions & 7 deletions .github/workflows/ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
load: true
tags: kooldev/php:${{ matrix.version }}${{ matrix.type }}

- name: Tests
- name: Tests - Basic
run: |
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -v
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} composer -V
Expand All @@ -50,6 +50,41 @@ jobs:
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep readline
docker run -e ENABLE_XDEBUG=true kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m

- name: Tests - Dockerize
run: |
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} dockerize --version
# Test dockerize template rendering
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} sh -c 'echo "{{ .Env.TEST_VAR }}" > /tmp/test.tmpl && TEST_VAR=hello dockerize -template /tmp/test.tmpl:/tmp/test.out && cat /tmp/test.out | grep hello'

- name: Tests - PHP Extensions
run: |
# Core extensions that must be present in all images
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i bcmath
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i gd
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i intl
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i pdo_mysql
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i pdo_pgsql
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i redis
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i zip
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i mbstring
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i ldap

- name: Tests - Production Checks
if: matrix.type == '-prod'
run: |
# OPcache must be enabled in production
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i "Zend OPcache"
# Xdebug must NOT be present in production (even when ENABLE_XDEBUG=true)
docker run -e ENABLE_XDEBUG=true kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i xdebug && exit 1 || echo "OK: xdebug not in prod"

- name: Tests - Development Checks
if: matrix.type == ''
run: |
# pcov should be available in dev
docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i pcov
# xdebug should be available when enabled
docker run -e ENABLE_XDEBUG=true kooldev/php:${{ matrix.version }}${{ matrix.type }} php -m | grep -i xdebug

- name: Build and push
uses: docker/build-push-action@v6
if: github.ref == 'refs/heads/master' && github.repository == 'kool-dev/docker-php'
Expand Down Expand Up @@ -81,23 +116,50 @@ jobs:
docker run kooldev/php:${{ matrix.version }}-node${{ matrix.type }} npm -v
docker run kooldev/php:${{ matrix.version }}-node${{ matrix.type }} yarn -v

- name: Tests (nginx)
- name: Tests (nginx) - Basic
run: |
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -v
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} composer -V
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} composer1 -V
docker run -e ASUSER=1000 kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -v
docker run -e ASUSER=1000 kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} composer -V
docker run -e ASUSER=1000 kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} composer1 -V
docker run -e ASUSER=1000 kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} dockerize --version

docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep readline
docker run -e ENABLE_XDEBUG=true kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m

docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} nginx -v
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} nginx -T
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} supervisord version

- name: Tests (nginx) - Dockerize
run: |
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} dockerize --version
# Test dockerize template rendering
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} sh -c 'echo "{{ .Env.TEST_VAR }}" > /tmp/test.tmpl && TEST_VAR=hello dockerize -template /tmp/test.tmpl:/tmp/test.out && cat /tmp/test.out | grep hello'

- name: Tests (nginx) - PHP Extensions
run: |
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i bcmath
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i gd
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i intl
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i pdo_mysql
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i pdo_pgsql
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i redis
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i zip
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i mbstring
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i ldap

- name: Tests (nginx) - Production Checks
if: matrix.type == '-prod'
run: |
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i "Zend OPcache"
docker run -e ENABLE_XDEBUG=true kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i xdebug && exit 1 || echo "OK: xdebug not in prod"

- name: Tests (nginx) - Development Checks
if: matrix.type == ''
run: |
docker run kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i pcov
docker run -e ENABLE_XDEBUG=true kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} php -m | grep -i xdebug

- name: Build and push (nginx)
uses: docker/build-push-action@v6
if: github.ref == 'refs/heads/master' && github.repository == 'kool-dev/docker-php'
Expand All @@ -116,10 +178,157 @@ jobs:
push: true
tags: kooldev/php:${{ matrix.version }}-node${{ matrix.type }}

build-debian:
runs-on: ubuntu-latest

strategy:
matrix:
type: ['', '-prod']

steps:
- name: Checkout code
uses: actions/checkout@v5.0.0

- name: Setup QEMU
uses: docker/setup-qemu-action@v3

- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to DockerHub
uses: docker/login-action@v3
if: github.ref == 'refs/heads/master' && github.repository == 'kool-dev/docker-php'
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Build and export to Docker (Debian)
uses: docker/build-push-action@v6
with:
context: 8.4-debian${{ matrix.type }}
load: true
tags: kooldev/php:8.4-debian${{ matrix.type }}

- name: Tests (Debian) - Basic
run: |
docker run kooldev/php:8.4-debian${{ matrix.type }} php -v
docker run kooldev/php:8.4-debian${{ matrix.type }} composer -V
docker run kooldev/php:8.4-debian${{ matrix.type }} composer1 -V
docker run -e ASUSER=1000 kooldev/php:8.4-debian${{ matrix.type }} php -v
docker run -e ASUSER=1000 kooldev/php:8.4-debian${{ matrix.type }} composer -V
docker run -e ASUSER=1000 kooldev/php:8.4-debian${{ matrix.type }} composer1 -V
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep readline
docker run -e ENABLE_XDEBUG=true kooldev/php:8.4-debian${{ matrix.type }} php -m

- name: Tests (Debian) - Dockerize
run: |
docker run kooldev/php:8.4-debian${{ matrix.type }} dockerize --version
# Test dockerize template rendering with bash
docker run kooldev/php:8.4-debian${{ matrix.type }} bash -c 'echo "{{ .Env.TEST_VAR }}" > /tmp/test.tmpl && TEST_VAR=hello dockerize -template /tmp/test.tmpl:/tmp/test.out && cat /tmp/test.out | grep hello'

- name: Tests (Debian) - Gosu user switching
run: |
docker run kooldev/php:8.4-debian${{ matrix.type }} gosu --version
# Verify gosu works for user switching - should be uid=1000 when ASUSER=1000
docker run -e ASUSER=1000 kooldev/php:8.4-debian${{ matrix.type }} id | grep "uid=1000"

- name: Tests (Debian) - PHP Extensions
run: |
# Same extensions as Alpine for consistency
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i bcmath
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i gd
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i intl
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i pdo_mysql
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i pdo_pgsql
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i redis
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i zip
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i mbstring
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i ldap

- name: Tests (Debian) - Production Checks
if: matrix.type == '-prod'
run: |
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i "Zend OPcache"
docker run -e ENABLE_XDEBUG=true kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i xdebug && exit 1 || echo "OK: xdebug not in prod"

- name: Tests (Debian) - Development Checks
if: matrix.type == ''
run: |
docker run kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i pcov
docker run -e ENABLE_XDEBUG=true kooldev/php:8.4-debian${{ matrix.type }} php -m | grep -i xdebug

- name: Build and push (Debian)
uses: docker/build-push-action@v6
if: github.ref == 'refs/heads/master' && github.repository == 'kool-dev/docker-php'
with:
context: 8.4-debian${{ matrix.type }}
platforms: linux/amd64,linux/arm64
push: true
tags: kooldev/php:8.4-debian${{ matrix.type }}

- name: Build and export to Docker (Debian nginx)
uses: docker/build-push-action@v6
with:
context: 8.4-debian-nginx${{ matrix.type }}
load: true
tags: kooldev/php:8.4-debian-nginx${{ matrix.type }}

- name: Tests (Debian nginx) - Basic
run: |
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -v
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} composer -V
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} composer1 -V
docker run -e ASUSER=1000 kooldev/php:8.4-debian-nginx${{ matrix.type }} php -v
docker run -e ASUSER=1000 kooldev/php:8.4-debian-nginx${{ matrix.type }} composer -V
docker run -e ASUSER=1000 kooldev/php:8.4-debian-nginx${{ matrix.type }} composer1 -V
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep readline
docker run -e ENABLE_XDEBUG=true kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} nginx -v
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} nginx -T
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} supervisord version
Comment thread
fabriciojs marked this conversation as resolved.
Outdated

- name: Tests (Debian nginx) - Dockerize
run: |
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} dockerize --version
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} bash -c 'echo "{{ .Env.TEST_VAR }}" > /tmp/test.tmpl && TEST_VAR=hello dockerize -template /tmp/test.tmpl:/tmp/test.out && cat /tmp/test.out | grep hello'

- name: Tests (Debian nginx) - PHP Extensions
run: |
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i bcmath
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i gd
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i intl
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i pdo_mysql
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i pdo_pgsql
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i redis
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i zip
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i mbstring
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i ldap

- name: Tests (Debian nginx) - Production Checks
if: matrix.type == '-prod'
run: |
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i "Zend OPcache"
docker run -e ENABLE_XDEBUG=true kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i xdebug && exit 1 || echo "OK: xdebug not in prod"

- name: Tests (Debian nginx) - Development Checks
if: matrix.type == ''
run: |
docker run kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i pcov
docker run -e ENABLE_XDEBUG=true kooldev/php:8.4-debian-nginx${{ matrix.type }} php -m | grep -i xdebug

- name: Build and push (Debian nginx)
uses: docker/build-push-action@v6
if: github.ref == 'refs/heads/master' && github.repository == 'kool-dev/docker-php'
with:
context: 8.4-debian-nginx${{ matrix.type }}
platforms: linux/amd64,linux/arm64
push: true
tags: kooldev/php:8.4-debian-nginx${{ matrix.type }}

trigger-build-wordpress:
name: Trigger Wordpress Build
runs-on: ubuntu-latest
needs: build
needs: [build, build-debian]
steps:
- name: Trigger build on kool-dev/docker-wordpress
uses: benc-uk/workflow-dispatch@v1.2
Expand All @@ -132,7 +341,7 @@ jobs:
trigger-extended-builds:
name: Trigger Extended Builds
runs-on: ubuntu-latest
needs: build
needs: [build, build-debian]
strategy:
matrix:
image:
Expand Down
2 changes: 1 addition & 1 deletion 8.1-nginx-prod/default.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ server {
listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
ssl_certificate {{ .Env.NGINX_HTTPS_CERT }};
ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
{{ end }}
root {{ .Env.NGINX_ROOT }};
Expand Down
2 changes: 1 addition & 1 deletion 8.1-nginx/default.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ server {
listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
ssl_certificate {{ .Env.NGINX_HTTPS_CERT }};
ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
{{ end }}
root {{ .Env.NGINX_ROOT }};
Expand Down
2 changes: 1 addition & 1 deletion 8.2-nginx-prod/default.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ server {
listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
ssl_certificate {{ .Env.NGINX_HTTPS_CERT }};
ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
{{ end }}
root {{ .Env.NGINX_ROOT }};
Expand Down
2 changes: 1 addition & 1 deletion 8.2-nginx/default.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ server {
listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
ssl_certificate {{ .Env.NGINX_HTTPS_CERT }};
ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
{{ end }}
root {{ .Env.NGINX_ROOT }};
Expand Down
2 changes: 1 addition & 1 deletion 8.3-nginx-prod/default.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ server {
listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
ssl_certificate {{ .Env.NGINX_HTTPS_CERT }};
ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
{{ end }}
root {{ .Env.NGINX_ROOT }};
Expand Down
2 changes: 1 addition & 1 deletion 8.3-nginx/default.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ server {
listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
ssl_certificate {{ .Env.NGINX_HTTPS_CERT }};
ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
{{ end }}
root {{ .Env.NGINX_ROOT }};
Expand Down
62 changes: 62 additions & 0 deletions 8.4-debian-nginx-prod/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
FROM debian:bookworm AS cert

WORKDIR /kool/ssl

RUN apt-get update && \
apt-get install -y openssl && \
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 && \
openssl rsa -passin pass:x -in server.pass.key -out _.localhost.key && \
rm server.pass.key && \
openssl req -new -key _.localhost.key -out server.csr \
-subj "/C=XX/ST=XX/L=XX/O=Kool-Local/OU=Localhost/CN=*.localhost" && \
openssl x509 -req -days 365 -in server.csr -signkey _.localhost.key -out _.localhost.crt && \
openssl x509 -in _.localhost.crt -out _.localhost.pem

FROM kooldev/php:8.4-debian-prod

ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
NGINX_LISTEN=80 \
NGINX_HTTPS=false \
NGINX_LISTEN_HTTPS=443 \
NGINX_HTTPS_CERT=/kool/ssl/_.localhost.pem \
NGINX_HTTPS_CERT_KEY=/kool/ssl/_.localhost.key \
NGINX_ROOT=/app/public \
NGINX_INDEX=index.php \
NGINX_CLIENT_MAX_BODY_SIZE=25M \
NGINX_PHP_FPM=unix:/run/php-fpm.sock \
NGINX_FASTCGI_READ_TIMEOUT=60s \
NGINX_FASTCGI_BUFFERS='8 8k' \
NGINX_FASTCGI_BUFFER_SIZE='16k' \
NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE=true

RUN apt-get update && apt-get install -y --no-install-recommends supervisor nginx wget \
&& chown -R kool:kool /var/lib/nginx \
&& chmod 770 /var/lib/nginx \
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
# add h5bp/server-configs-nginx
&& mkdir -p /etc/nginx/conf.d \
&& mkdir /etc/nginx/h5bp \
&& cd /etc/nginx/h5bp \
&& wget https://github.com/h5bp/server-configs-nginx/archive/refs/tags/5.0.1.tar.gz -O h5bp.tgz \
&& tar xzvf h5bp.tgz \
Comment on lines +41 to +42
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These commands pull Nginx configuration files from a third-party GitHub repository using wget and extract them without integrity verification. A compromised or malicious archive could alter the bundled Nginx configuration in unsafe ways in this production image. Use a pinned, trusted artifact and verify its checksum or signature before unpacking.

Copilot uses AI. Check for mistakes.
&& rm -f h5bp.tgz \
&& mv server-configs-nginx-*/h5bp/* . \
&& mv server-configs-nginx-*/nginx.conf /etc/nginx/nginx.conf \
&& sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
&& mv server-configs-nginx-*/mime.types /etc/nginx/mime.types \
&& rm -rf server-configs-nginx-* \
&& curl -L https://raw.githubusercontent.com/nginxinc/docker-nginx/master/entrypoint/30-tune-worker-processes.sh -o /kool/30-tune-worker-processes.sh \
&& chmod +x /kool/30-tune-worker-processes.sh \
Comment thread
fabriciojs marked this conversation as resolved.
&& apt-get purge -y --auto-remove wget \
&& rm -rf /var/lib/apt/lists/*

COPY supervisor.conf /kool/supervisor.conf
COPY default.tmpl /kool/default.tmpl
COPY entrypoint /kool/entrypoint
COPY --from=cert /kool/ssl /kool/ssl
RUN chmod +x /kool/entrypoint

EXPOSE 80

CMD [ "supervisord", "-c", "/kool/supervisor.conf" ]
Loading
Loading