Skip to content
Build test images

GitHub Actions workflow file security hardening #196

Sign in to view logs

GitHub Actions workflow file security hardening

GitHub Actions workflow file security hardening #196

Workflow file for this run

.github/workflows/github-container-registry.yml at 9b3c249
##########################################################################
#
# WARNING: This file was generated by update.php.
#
# You can find the relevant template in the `/templates` folder.
#
name: Build test images
on:
pull_request:
workflow_dispatch:
env:
REGISTRY_USERNAME: desrosj
REGISTRY_PASSWORD: ${{ secrets.GHCR_TOKEN }}
PACKAGE_REGISTRY_HOST: ghcr.io
PACKAGE_REGISTRY: ghcr.io/wordpress/wpdev-docker-images
PR_TAG: -${{ github.event.number }}
# Cancels all previous workflow runs for pull requests that have not completed.
concurrency:
# The concurrency group contains the workflow name and the branch name for pull requests
# or the commit hash for any other events.
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
check-for-changes:
name: Check for uncommitted changes
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false
- name: Setup PHP
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v.2.31.1
with:
php-version: 'latest'
- name: Build images
run: php update.php
- name: Ensure version-controlled files are not modified or deleted
run: git diff --exit-code
build-php-images:
name: PHP ${{ matrix.php }} Image
runs-on: ubuntu-latest
needs: [ check-for-changes ]
strategy:
matrix:
php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
env:
PHP_VERSION: ${{ matrix.php }}
PHP_LATEST: '8.2'
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false
- name: Login to the package registry
run: |
echo "$REGISTRY_PASSWORD" | docker login "$PACKAGE_REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin
- name: Build Docker image
run: |
docker build \
--build-arg PACKAGE_REGISTRY="$PACKAGE_REGISTRY" \
--build-arg PR_TAG="$PR_TAG" \
-t "$PACKAGE_REGISTRY/php:$PHP_VERSION-fpm$PR_TAG" \
"images/$PHP_VERSION/php"
- name: Log Docker images
run: docker images
- name: Push Docker image
run: docker push "$PACKAGE_REGISTRY/php:$PHP_VERSION-fpm$PR_TAG"
- name: Push image as latest
if: ${{ env.PHP_LATEST == env.PHP_VERSION }}
run: |
docker image tag "$PACKAGE_REGISTRY/php:$PHP_VERSION-fpm$PR_TAG" "$PACKAGE_REGISTRY/php:latest$PR_TAG"
docker images
docker push "$PACKAGE_REGISTRY/php:latest$PR_TAG"
build-cli-images:
name: CLI on PHP ${{ matrix.php }}
runs-on: ubuntu-latest
needs: build-php-images
strategy:
matrix:
php: [ '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
permissions:
contents: read
env:
PHP_VERSION: ${{ matrix.php }}
PHP_LATEST: '8.2'
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false
- name: Login to the package registry
run: |
echo "$REGISTRY_PASSWORD" | docker login "$PACKAGE_REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin
- name: Build Docker image
run: |
docker build \
--build-arg PACKAGE_REGISTRY="$PACKAGE_REGISTRY" \
--build-arg PR_TAG="$PR_TAG" \
-t "$PACKAGE_REGISTRY/cli:$PHP_VERSION-fpm$PR_TAG" \
"images/$PHP_VERSION/cli"
- name: Log Docker images
run: docker images
- name: Push Docker image
run: docker push "$PACKAGE_REGISTRY/cli:$PHP_VERSION-fpm$PR_TAG"
- name: Push image as latest
if: ${{ env.PHP_LATEST == env.PHP_VERSION }}
run: |
docker image tag "$PACKAGE_REGISTRY/cli:$PHP_VERSION-fpm$PR_TAG" "$PACKAGE_REGISTRY/cli:latest$PR_TAG"
docker push "$PACKAGE_REGISTRY/cli:latest$PR_TAG"