LycheeOrg
diff --git a/‎.dockerignore‎
Lines changed: 60 additions & 0 deletions b/‎.dockerignore‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎.github/workflows/CICD.yml‎
Lines changed: 95 additions & 0 deletions b/‎.github/workflows/CICD.yml‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 141 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 141 additions & 0 deletions
@@ -0,0 +1,60 @@
+# Git
+.git
+.gitignore
+.gitattributes
+
+# CI/CD
+.github
+
+# Coding
+.ai
+.vscode
+
+# dependencies
+composer-cache
+
+# Documentation
+README.md
+docs/
+
+# Development files
+.editorconfig
+.php-cs-fixer.php
+.php-cs-fixer.cache
+phpstan.neon
+phpunit.xml
+.phpunit.result.cache
+phpstan/*
+scripts/*
+vite/*
+
+# Node
+node_modules/
+npm-debug.log
+
+# Lychee
+/public/uploads/*
+lychee/*
+
+# Laravel
+/storage/logs/*
+/storage/framework/cache/*
+/storage/framework/sessions/*
+/storage/framework/views/*
+.env
+.env.*
+!.env.example
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Tests
+tests/*
@@ -148,6 +148,101 @@ jobs:
       - code_style_errors
     uses: ./.github/workflows/php_dist.yml
 
+  docker_check:
+    name: 3️⃣ Dockerfile Lint
+    runs-on: ubuntu-latest
+    needs:
+      - phpstan
+      - check_js
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3.12.0
+
+      - name: Docker Lint
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: ./Dockerfile
+          failure-threshold: warning
+
+      - name: Build Docker image locally
+        run: docker build -t lychee:local .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          image-ref: lychee:local
+          format: 'table'
+          exit-code: 1
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  docker-build:
+    name:  4️⃣ Build Docker Image
+    runs-on: ubuntu-latest
+    if: >
+      (github.ref == 'refs/heads/master' && github.event_name == 'push') ||
+      (startsWith(github.ref, 'refs/tags/') && github.event_name == 'push')
+    needs:
+      - docker_check
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3.12.0
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        with:
+          images: ghcr.io/${{ github.repository }}
+          flavor: |
+              latest=${{ startsWith(github.ref, 'refs/tags/') }}
+          tags: |
+            # define default branch
+            type=edge,branch=master
+            # branch event
+            type=ref,event=branch
+            # tag event
+            type=ref,event=tag
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            NODE_ENV=production
+
   createArtifact:
     name: 3️⃣ Build Artifact
     if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
 
@@ -0,0 +1,141 @@
+# Lychee - Laravel Backend Dockerfile
+# Multi-stage build with Laravel Octane + FrankenPHP
+ARG NODE_ENV=production
+
+# ============================================================================
+# Stage 1: Composer Dependencies
+# ============================================================================
+FROM composer:2.8@sha256:5248900ab8b5f7f880c2d62180e40960cd87f60149ec9a1abfd62ac72a02577c AS composer
+
+WORKDIR /app
+
+# Copy composer files first for layer caching
+COPY composer.json composer.lock ./
+
+# Install dependencies (no dev packages for production)
+RUN composer install \
+    --no-dev \
+    --no-interaction \
+    --no-progress \
+    --no-scripts \
+    --prefer-dist \
+    --optimize-autoloader \
+    --ignore-platform-reqs
+
+# ============================================================================
+# Stage 2: Node.js Build for Frontend Assets
+# ============================================================================
+FROM node:20-alpine@sha256:658d0f63e501824d6c23e06d4bb95c71e7d704537c9d9272f488ac03a370d448 AS node
+
+# Build argument to control dev vs production build
+ARG NODE_ENV
+ENV NODE_ENV=$NODE_ENV
+
+WORKDIR /app
+
+# Copy package files for layer caching
+COPY package.json package-lock.json ./
+
+# Install dependencies
+RUN npm ci --no-audit
+
+# Copy frontend source
+COPY resources/ ./resources/
+COPY public/ ./public/
+COPY lang/ ./lang/
+COPY vite.config.ts vite.embed.config.ts tsconfig.json ./
+
+# Build frontend assets
+# When NODE_ENV=development, Vite sets import.meta.env.DEV=true
+RUN npm run build
+
+# ============================================================================
+# Stage 3: Production FrankenPHP Image
+# ============================================================================
+FROM dunglas/frankenphp:php8.4-alpine@sha256:49654aea8f2b9bc225bde6d89c9011054505ca2ed3e9874b251035128518b491
+
+ARG USER=appuser
+
+LABEL maintainer="lycheeorg"
+LABEL org.opencontainers.image.source="https://github.com/LycheeOrg/Lychee"
+
+# Install system utilities and PHP extensions
+# hadolint ignore=DL3018
+RUN apk add --no-cache \
+    exiftool \
+	shadow \
+    ffmpeg \
+    gd \
+    grep \
+    imagemagick \
+    jpegoptim \
+	netcat-openbsd \
+	unzip \
+    curl \
+    && install-php-extensions \
+    pdo_mysql \
+    pdo_pgsql \
+    gd \
+    zip \
+	dom \
+    bcmath \
+    sodium \
+    opcache \
+    pcntl \
+	exif \
+	imagick \
+	intl \
+	redis \
+	tokenizer \
+	&& rm -rf /var/cache/apk/* \
+	&& apk del shadow
+
+WORKDIR /app
+
+# Copy application code
+COPY --chown=www-data:www-data . .
+
+# Copy vendor from composer stage
+COPY --from=composer --chown=www-data:www-data /app/vendor ./vendor
+
+# Copy built frontend assets from node stage
+COPY --from=node --chown=www-data:www-data /app/public/build ./public/build
+
+# Ensure storage and bootstrap/cache are writable with minimal permissions
+RUN mkdir -p storage/framework/cache \
+    storage/framework/sessions \
+    storage/framework/views \
+    storage/logs \
+    bootstrap/cache \
+    public/dist \
+    && chown -R www-data:www-data storage bootstrap/cache public/dist \
+    && chmod -R 750 storage bootstrap/cache \
+    && chmod -R 755 public/dist \
+	&& touch /app/frankenphp_target \
+	&& touch /app/public/dist/user.css \
+	&& touch /app/public/dist/custom.js \
+	&& chown www-data:www-data /app/public/dist/user.css /app/public/dist/custom.js \
+	&& chmod 644 /app/public/dist/user.css /app/public/dist/custom.js \
+	&& cp $PHP_INI_DIR/php.ini-production $PHP_INI_DIR/php.ini \
+    && echo "upload_max_filesize=110M" > $PHP_INI_DIR/conf.d/custom.ini \
+    && echo "post_max_size=110M" >> $PHP_INI_DIR/conf.d/custom.ini \
+	&& echo "max_execution_time=3000" >> $PHP_INI_DIR/conf.d/custom.ini \
+	&& echo "expose_php=Off" >> $PHP_INI_DIR/conf.d/custom.ini \
+	&& echo "display_errors=Off" >> $PHP_INI_DIR/conf.d/custom.ini \
+	&& echo "log_errors=On" >> $PHP_INI_DIR/conf.d/custom.ini
+
+# Copy entrypoint and validation scripts
+COPY docker/scripts/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY docker/scripts/validate-env.sh /usr/local/bin/validate-env.sh
+COPY docker/scripts/create-admin-user.sh /usr/local/bin/create-admin-user.sh
+COPY docker/scripts/permissions-check.sh /usr/local/bin/permissions-check.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh /usr/local/bin/validate-env.sh /usr/local/bin/permissions-check.sh /usr/local/bin/create-admin-user.sh
+
+# Expose port 8000 (Octane)
+EXPOSE 8000
+
+# Set entrypoint
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+
+# Default command: run Octane with FrankenPHP
+CMD ["php", "artisan", "octane:start", "--server=frankenphp", "--host=0.0.0.0", "--port=8000"]