Skip to content

Produce and publish multi-platform (linux/amd64 and linux/arm64) container images #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
GingerGeek wants to merge 10 commits into
base: trunk
Choose a base branch
from
Open

Produce and publish multi-platform (linux/amd64 and linux/arm64) container images #167

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
e6aed95
Produce and publish multi-platform (linux/amd64 and linux/arm64) cont…
GingerGeek May 19, 2025
1ea582f
Pin all actions to fixed commit hash
GingerGeek May 25, 2025
fd5e695
Merge branch 'trunk' into multiarch-container-images
desrosj Jun 24, 2025
3926283
Adjustments following #168.
desrosj Jun 24, 2025
830bdf4
Clean up a few zizmor issues.
desrosj Jun 24, 2025
48fc4ac
Bump the github-actions group with 3 updates
dependabot[bot] Jun 24, 2025
8807e61
Commit built file changes.
desrosj Jun 24, 2025
f2b1bfa
Correctly apply updates.
desrosj Jun 24, 2025
dfd4216
Fix typo in action name.
desrosj Jun 24, 2025
fcf4cc2
Merge branch 'dependabot/github_actions/github-actions-f5c9694f48' in…
desrosj Jun 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
257 changes: 201 additions & 56 deletions .github/workflows/docker-hub.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,6 @@
- cron: '0 0 * * 0'

env:
REGISTRY_USERNAME: garypendergast
REGISTRY_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
PACKAGE_REGISTRY_HOST:
PACKAGE_REGISTRY: wordpressdevelop
PR_TAG:


Expand All @@ -43,89 +39,238 @@
jobs:

build-php-images:
name: PHP ${{ matrix.php }} Image
runs-on: ubuntu-latest
name: PHP ${{ matrix.php }} (${{ matrix.arch.type }}) Image
runs-on: ${{ matrix.arch.runner }}

Check failure

Code scanning / octoscan

Expression in a label: "${{ matrix.arch.runner }}". It might be a self-hosted runner. Error

Expression in a label: "${ matrix.arch.runner }". It might be a self-hosted runner.

permissions:
contents: read
strategy:
fail-fast: false
matrix:
php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
arch:
- type: linux/amd64
runner: ubuntu-24.04
- type: linux/arm64
runner: ubuntu-24.04-arm
env:
PHP_VERSION: ${{ matrix.php }}
PHP_LATEST: '8.2'
permissions:
contents: read
ARCH_TYPE: ${{ matrix.arch.type }}

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Prepare
run: |

Check failure

Code scanning / octoscan

shellcheck reported issue in this script: SC2086:info:2:43: Double quote to prevent globbing and word splitting Error

shellcheck reported issue in this script: SC2086:info:2:43: Double quote to prevent globbing and word splitting
platform="php-$PHP_VERSION-$ARCH_TYPE"
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

Check failure

Code scanning / octoscan

Write to "$GITHUB_ENV" in a bash script. Error

Write to "$GITHUB_ENV" in a bash script.
- name: Docker meta
id: meta
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # 5.7.0
with:
images: ${{ vars.DOCKERHUB_PHP_IMAGE }}
- name: Login to Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # 3.4.0
with:
persist-credentials: false

- name: Login to the package registry
run: |
echo "$REGISTRY_PASSWORD" | docker login "$PACKAGE_REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin

- name: Build Docker image
run: |
docker build \
--build-arg PACKAGE_REGISTRY="$PACKAGE_REGISTRY" \
--build-arg PR_TAG="$PR_TAG" \
-t "$PACKAGE_REGISTRY/php:$PHP_VERSION-fpm$PR_TAG" \
"images/$PHP_VERSION/php"
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Log Docker images
run: docker images

- name: Push Docker image
run: docker push "$PACKAGE_REGISTRY/php:$PHP_VERSION-fpm$PR_TAG"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # 3.10.0

- name: Push image as latest
if: ${{ env.PHP_LATEST == env.PHP_VERSION }}
- name: Build and push by digest
id: build
uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # 6.17.0
with:
platforms: ${{ env.ARCH_TYPE }}
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ vars.DOCKERHUB_PHP_IMAGE }}
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
context: "{{defaultContext}}:images/${{ env.PHP_VERSION }}/php"

Check warning

Code scanning / zizmor

env.PHP_VERSION may expand into attacker-controllable code Warning

env.PHP_VERSION may expand into attacker-controllable code
build-args: |
PR_TAG=${{ env.PR_TAG }}

- name: Export digest
run: |
docker image tag "$PACKAGE_REGISTRY/php:$PHP_VERSION-fpm$PR_TAG" "$PACKAGE_REGISTRY/php:latest$PR_TAG"
docker images
docker push "$PACKAGE_REGISTRY/php:latest$PR_TAG"
mkdir -p ${{ runner.temp }}/digests

Check failure

Code scanning / octoscan

Expression injection, "steps..outputs." is potentially untrusted. Error

Expression injection, "steps.**.outputs.**" is potentially untrusted.
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
Comment on lines 95 to +98

Check notice

Code scanning / zizmor

steps.build.outputs.digest may expand into attacker-controllable code Note

steps.build.outputs.digest may expand into attacker-controllable code

build-cli-images:
name: CLI on PHP ${{ matrix.php }}
- name: Upload digest
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1

complete-php-images-platform:
name: Package multi-arch container image for PHP ${{ matrix.php }}
runs-on: ubuntu-latest
needs: build-php-images
strategy:
fail-fast: false
matrix:
php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
needs:
- build-php-images
env:
PHP_VERSION: ${{ matrix.php }}

steps:
- name: Download digests
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # 4.3.0
with:
path: ${{ runner.temp }}/digests
pattern: digests-php-${{ env.PHP_VERSION }}-*
merge-multiple: true

- name: Login to Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # 3.4.0
with:


username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}


- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # 3.10.0

- name: Docker meta
id: meta
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # 5.7.0
with:
images: ${{ vars.DOCKERHUB_PHP_IMAGE }}
tags: |
type=raw,value=${{ env.PHP_VERSION }}-fpm${{ env.PR_TAG }}
type=raw,value=latest${{ env.PR_TAG }},enable=${{ '8.2' == env.PHP_VERSION }}

- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |

Check failure

Code scanning / octoscan

shellcheck reported issue in this script: SC2046:warning:2:3: Quote this to prevent word splitting Error

shellcheck reported issue in this script: SC2046:warning:2:3: Quote this to prevent word splitting
docker buildx imagetools create "$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")" \
$(printf '${{ vars.DOCKERHUB_PHP_IMAGE }}@sha256:%s ' *)
Comment on lines +151 to +153

Check notice

Code scanning / zizmor

vars.DOCKERHUB_PHP_IMAGE may expand into attacker-controllable code Note

vars.DOCKERHUB_PHP_IMAGE may expand into attacker-controllable code

- name: Inspect image
run: |
docker buildx imagetools inspect ${{ vars.DOCKERHUB_PHP_IMAGE }}:${{ steps.meta.outputs.version }}

Check failure

Code scanning / octoscan

Expression injection, "steps..outputs." is potentially untrusted. Error

Expression injection, "steps.**.outputs.**" is potentially untrusted.
Comment on lines +156 to +157

Check notice

Code scanning / zizmor

vars.DOCKERHUB_PHP_IMAGE may expand into attacker-controllable code Note

vars.DOCKERHUB_PHP_IMAGE may expand into attacker-controllable code
Comment on lines +156 to +157

Check notice

Code scanning / zizmor

steps.meta.outputs.version may expand into attacker-controllable code Note

steps.meta.outputs.version may expand into attacker-controllable code

build-cli-images:
name: Build CLI on PHP ${{ matrix.php }} (${{ matrix.arch.type }})
runs-on: ${{ matrix.arch.runner }}

Check failure

Code scanning / octoscan

Expression in a label: "${{ matrix.arch.runner }}". It might be a self-hosted runner. Error

Expression in a label: "${ matrix.arch.runner }". It might be a self-hosted runner.
needs: complete-php-images-platform
permissions:
contents: read

strategy:
fail-fast: false
matrix:
php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
arch:
- type: linux/amd64
runner: ubuntu-24.04
- type: linux/arm64
runner: ubuntu-24.04-arm
env:
PHP_VERSION: ${{ matrix.php }}
PHP_LATEST: '8.2'
ARCH_TYPE: ${{ matrix.arch.type }}

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Prepare
run: |

Check failure

Code scanning / octoscan

shellcheck reported issue in this script: SC2086:info:2:43: Double quote to prevent globbing and word splitting Error

shellcheck reported issue in this script: SC2086:info:2:43: Double quote to prevent globbing and word splitting
platform="cli-$PHP_VERSION-$ARCH_TYPE"
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

Check failure

Code scanning / octoscan

Write to "$GITHUB_ENV" in a bash script. Error

Write to "$GITHUB_ENV" in a bash script.
- name: Docker meta
id: meta
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # 5.7.0
with:
images: ${{ vars.DOCKERHUB_CLI_IMAGE }}
- name: Login to Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # 3.4.0
with:
persist-credentials: false

- name: Login to the package registry
run: |
echo "$REGISTRY_PASSWORD" | docker login "$PACKAGE_REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin

- name: Build Docker image
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # 3.10.0

- name: Build and push by digest
id: build
uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # 6.17.0
with:
platforms: ${{ env.ARCH_TYPE }}
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ vars.DOCKERHUB_CLI_IMAGE }}
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
context: "{{defaultContext}}:images/${{ env.PHP_VERSION }}/cli"

Check warning

Code scanning / zizmor

env.PHP_VERSION may expand into attacker-controllable code Warning

env.PHP_VERSION may expand into attacker-controllable code
build-args: |
PHP_BASE_IMAGE=${{ vars.DOCKERHUB_PHP_IMAGE }}
PR_TAG=${{ env.PR_TAG }}

- name: Export digest
run: |
docker build \
--build-arg PACKAGE_REGISTRY="$PACKAGE_REGISTRY" \
--build-arg PR_TAG="$PR_TAG" \
-t "$PACKAGE_REGISTRY/cli:$PHP_VERSION-fpm$PR_TAG" \
"images/$PHP_VERSION/cli"
mkdir -p ${{ runner.temp }}/digests

Check failure

Code scanning / octoscan

Expression injection, "steps..outputs." is potentially untrusted. Error

Expression injection, "steps.**.outputs.**" is potentially untrusted.
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
Comment on lines 213 to +216

Check notice

Code scanning / zizmor

steps.build.outputs.digest may expand into attacker-controllable code Note

steps.build.outputs.digest may expand into attacker-controllable code

- name: Upload digest
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1


complete-cli-images-platform:
name: Package multi-arch container image for CLI ${{ matrix.php }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
needs:
- build-cli-images
env:
PHP_VERSION: ${{ matrix.php }}

steps:
- name: Download digests
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # 4.3.0
with:
path: ${{ runner.temp }}/digests
pattern: digests-cli-${{ env.PHP_VERSION }}-*
merge-multiple: true

- name: Login to Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # 3.4.0
with:


username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Log Docker images
run: docker images

- name: Push Docker image
run: docker push "$PACKAGE_REGISTRY/cli:$PHP_VERSION-fpm$PR_TAG"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # 3.10.0

- name: Docker meta
id: meta
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # 5.7.0
with:
images: ${{ vars.DOCKERHUB_CLI_IMAGE }}
tags: |
type=raw,value=${{ env.PHP_VERSION }}-fpm${{ env.PR_TAG }}
type=raw,value=latest${{ env.PR_TAG }},enable=${{ '8.2' == env.PHP_VERSION }}

- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |

Check failure

Code scanning / octoscan

shellcheck reported issue in this script: SC2046:warning:2:3: Quote this to prevent word splitting Error

shellcheck reported issue in this script: SC2046:warning:2:3: Quote this to prevent word splitting
docker buildx imagetools create "$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")" \
$(printf '${{ vars.DOCKERHUB_CLI_IMAGE }}@sha256:%s ' *)
Comment on lines +270 to +272

Check notice

Code scanning / zizmor

vars.DOCKERHUB_CLI_IMAGE may expand into attacker-controllable code Note

vars.DOCKERHUB_CLI_IMAGE may expand into attacker-controllable code

- name: Push image as latest
if: ${{ env.PHP_LATEST == env.PHP_VERSION }}
- name: Inspect image
run: |
docker image tag "$PACKAGE_REGISTRY/cli:$PHP_VERSION-fpm$PR_TAG" "$PACKAGE_REGISTRY/cli:latest$PR_TAG"
docker push "$PACKAGE_REGISTRY/cli:latest$PR_TAG"
docker buildx imagetools inspect ${{ vars.DOCKERHUB_CLI_IMAGE }}:${{ steps.meta.outputs.version }}

Check failure

Code scanning / octoscan

Expression injection, "steps..outputs." is potentially untrusted. Error

Expression injection, "steps.**.outputs.**" is potentially untrusted.
Loading
Loading