Skip to content

bump s6-overlay to 3.2.0.0 #49

bump s6-overlay to 3.2.0.0

bump s6-overlay to 3.2.0.0 #49

Workflow file for this run

name: Build PHPFPM Images
on:
push:
branches:
- master
schedule:
- cron: "0 5 1 * *"
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: nhsl-ubuntu-phpv2
ORG: nhsleadership
jobs:
build-php-fpm-exporter:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: create cache to store artifact
uses: actions/cache@v4
with:
path: artifacts
key: exporter-key
- name: checkout php-fpm_exporter repo
uses: actions/checkout@v3
with:
repository: sysdiglabs/php-fpm_exporter
- uses: actions/setup-go@v5
with:
go-version: '^1.23.0'
- name: build php-fpm exporter
run: |
mkdir -p artifacts
go build -o artifacts/php-fpm_exporter
build-php72-image:
runs-on: ubuntu-latest
needs: build-php-fpm-exporter
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Restore exporter cache
uses: actions/cache/restore@v4
with:
path: artifacts
key: exporter-key
- name: grab exporter artifact
run: |
mkdir -p phpfpm/rootfs/usr/local/bin/
cp artifacts/php-fpm_exporter phpfpm/rootfs/usr/local/bin/
- name: Get lists of PHP modules to install
run: |
echo "PHP72MODS=$(awk '$1=$1' ORS=' ' ./phpfpm/php72.txt)" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push PHP 7.2
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: ./phpfpm
push: true
tags: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:7.2-master
labels: ${{ steps.meta.outputs.labels }}
build-args: |
PHP_VERSION=7.2
PHP_PACKAGES=${{ env.PHP72MODS }}
- name: Trivy scan PHP 7.2 image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:7.2-master
format: 'sarif'
output: 'trivy-results72.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy PHP 7.2 results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results72.sarif'
category: phpfpm
build-php73-image:
runs-on: ubuntu-latest
needs: build-php-fpm-exporter
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Restore exporter cache
uses: actions/cache/restore@v4
with:
path: artifacts
key: exporter-key
- name: grab exporter artifact
run: |
mkdir -p phpfpm/rootfs/usr/local/bin/
cp artifacts/php-fpm_exporter phpfpm/rootfs/usr/local/bin/
- name: Get lists of PHP modules to install
run: |
echo "PHP73MODS=$(awk '$1=$1' ORS=' ' ./phpfpm/php73.txt)" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push PHP 7.3
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: ./phpfpm
push: true
tags: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:7.3-master
labels: ${{ steps.meta.outputs.labels }}
build-args: |
PHP_VERSION=7.3
PHP_PACKAGES=${{ env.PHP73MODS }}
- name: Trivy scan PHP 7.3 image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:7.3-master
format: 'sarif'
output: 'trivy-results73.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy PHP 7.3 results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results73.sarif'
category: phpfpm
build-php74-image:
runs-on: ubuntu-latest
needs: build-php-fpm-exporter
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Restore exporter cache
uses: actions/cache/restore@v4
with:
path: artifacts
key: exporter-key
- name: grab exporter artifact
run: |
mkdir -p phpfpm/rootfs/usr/local/bin/
cp artifacts/php-fpm_exporter phpfpm/rootfs/usr/local/bin/
- name: Get lists of PHP modules to install
run: |
echo "PHP74MODS=$(awk '$1=$1' ORS=' ' ./phpfpm/php74.txt)" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push PHP 7.4
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: ./phpfpm
push: true
tags: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:7.4-master
labels: ${{ steps.meta.outputs.labels }}
build-args: |
PHP_VERSION=7.4
PHP_PACKAGES=${{ env.PHP74MODS }}
- name: Trivy scan PHP 7.4 image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:7.4-master
format: 'sarif'
output: 'trivy-results74.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy PHP 7.4 results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results74.sarif'
category: phpfpm
build-php80-image:
runs-on: ubuntu-latest
needs: build-php-fpm-exporter
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Restore exporter cache
uses: actions/cache/restore@v4
with:
path: artifacts
key: exporter-key
- name: grab exporter artifact
run: |
mkdir -p phpfpm/rootfs/usr/local/bin/
cp artifacts/php-fpm_exporter phpfpm/rootfs/usr/local/bin/
- name: Get lists of PHP modules to install
run: |
echo "PHP80MODS=$(awk '$1=$1' ORS=' ' ./phpfpm/php80.txt)" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push PHP 8.0
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: ./phpfpm
push: true
tags: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:8.0-master
labels: ${{ steps.meta.outputs.labels }}
build-args: |
PHP_VERSION=8.0
PHP_PACKAGES=${{ env.PHP80MODS }}
- name: Trivy scan PHP 8.0 image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:8.0-master
format: 'sarif'
output: 'trivy-results80.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy PHP 8.0 results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results80.sarif'
category: phpfpm
build-php81-image:
runs-on: ubuntu-latest
needs: build-php-fpm-exporter
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Restore exporter cache
uses: actions/cache/restore@v4
with:
path: artifacts
key: exporter-key
- name: grab exporter artifact
run: |
mkdir -p phpfpm/rootfs/usr/local/bin/
cp artifacts/php-fpm_exporter phpfpm/rootfs/usr/local/bin/
- name: Get lists of PHP modules to install
run: |
echo "PHP81MODS=$(awk '$1=$1' ORS=' ' ./phpfpm/php81.txt)" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push PHP 8.1
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: ./phpfpm
push: true
tags: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:8.1-master
labels: ${{ steps.meta.outputs.labels }}
build-args: |
PHP_VERSION=8.1
PHP_PACKAGES=${{ env.PHP81MODS }}
- name: Trivy scan PHP 8.1 image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:8.1-master
format: 'sarif'
output: 'trivy-results81.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy PHP 8.1 results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results81.sarif'
category: phpfpm
build-php82-image:
runs-on: ubuntu-latest
needs: build-php-fpm-exporter
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Restore exporter cache
uses: actions/cache/restore@v4
with:
path: artifacts
key: exporter-key
- name: grab exporter artifact
run: |
mkdir -p phpfpm/rootfs/usr/local/bin/
cp artifacts/php-fpm_exporter phpfpm/rootfs/usr/local/bin/
- name: Get lists of PHP modules to install
run: |
echo "PHP82MODS=$(awk '$1=$1' ORS=' ' ./phpfpm/php82.txt)" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push PHP 8.2
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: ./phpfpm
push: true
tags: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:8.2-master
labels: ${{ steps.meta.outputs.labels }}
build-args: |
PHP_VERSION=8.2
PHP_PACKAGES=${{ env.PHP82MODS }}
- name: Trivy scan PHP 8.2 image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:8.2-master
format: 'sarif'
output: 'trivy-results82.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy PHP 8.2 results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results82.sarif'
category: phpfpm
build-php83-image:
runs-on: ubuntu-latest
needs: build-php-fpm-exporter
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Restore exporter cache
uses: actions/cache/restore@v4
with:
path: artifacts
key: exporter-key
- name: grab exporter artifact
run: |
mkdir -p phpfpm/rootfs/usr/local/bin/
cp artifacts/php-fpm_exporter phpfpm/rootfs/usr/local/bin/
- name: Get lists of PHP modules to install
run: |
echo "PHP83MODS=$(awk '$1=$1' ORS=' ' ./phpfpm/php83.txt)" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push PHP 8.3
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
with:
context: ./phpfpm
push: true
tags: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:8.3-master
labels: ${{ steps.meta.outputs.labels }}
build-args: |
PHP_VERSION=8.3
PHP_PACKAGES=${{ env.PHP83MODS }}
- name: Trivy scan PHP 8.3 image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.ORG }}/${{ env.IMAGE_NAME }}:8.3-master
format: 'sarif'
output: 'trivy-results83.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy PHP 8.3 results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results83.sarif'
category: phpfpm