frankenphp/.github/workflows/docker.yaml

---
name: Build Docker images
concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ github.ref }}
on:
  pull_request:
    branches:
      - main
    paths-ignore:
      - "docs/**"
  push:
    branches:
      - main
    tags:
      - v*.*.*
  workflow_dispatch:
    inputs:
      #checkov:skip=CKV_GHA_7
      version:
        description: "FrankenPHP version"
        required: false
        type: string
  schedule:
    - cron: "0 4 * * *"
permissions:
  contents: read
env:
  IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }}
jobs:
  prepare:
    runs-on: ubuntu-latest
    outputs:
      # Push if it's a scheduled job, a tag, or if we're committing to the main branch
      push: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')) && true || false }}
      variants: ${{ steps.matrix.outputs.variants }}
      platforms: ${{ steps.matrix.outputs.platforms }}
      metadata: ${{ steps.matrix.outputs.metadata }}
      php_version: ${{ steps.check.outputs.php_version }}
      php82_version: ${{ steps.check.outputs.php82_version }}
      php83_version: ${{ steps.check.outputs.php83_version }}
      skip: ${{ steps.check.outputs.skip }}
      ref: ${{ steps.check.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}
    steps:
      - name: Check PHP versions
        id: check
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          PHP_82_LATEST=$(skopeo inspect docker://docker.io/library/php:8.2 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
          PHP_83_LATEST=$(skopeo inspect docker://docker.io/library/php:8.3 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
          PHP_84_LATEST=$(skopeo inspect docker://docker.io/library/php:8.4 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
          {
            echo php_version="${PHP_82_LATEST},${PHP_83_LATEST},${PHP_84_LATEST}"
            echo php82_version="${PHP_82_LATEST//./-}"
            echo php83_version="${PHP_83_LATEST//./-}"
            echo php84_version="${PHP_84_LATEST//./-}"
          } >> "${GITHUB_OUTPUT}"

          # Check if the Docker images must be rebuilt
          if [[ "${GITHUB_EVENT_NAME}" != "schedule"  ]]; then
              echo skip=false >> "${GITHUB_OUTPUT}"
              exit 0
          fi

          FRANKENPHP_82_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:php8.2 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
          FRANKENPHP_83_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:php8.3 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
          FRANKENPHP_84_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:php8.4 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')

          if [[ "${FRANKENPHP_82_LATEST}" == "${PHP_82_LATEST}" ]] && [[ "${FRANKENPHP_83_LATEST}" == "${PHP_83_LATEST}" ]] && [[ "${FRANKENPHP_84_LATEST}" == "${PHP_84_LATEST}" ]]; then
              echo skip=true >> "${GITHUB_OUTPUT}"
              exit 0
          fi

          {
            echo ref="$(gh release view --repo dunglas/frankenphp --json tagName --jq '.tagName')"
            echo skip=false
          } >> "${GITHUB_OUTPUT}"
      - uses: actions/checkout@v4
        if: ${{ !fromJson(steps.check.outputs.skip) }}
        with:
          ref: ${{ steps.check.outputs.ref }}
      - name: Set up Docker Buildx
        if: ${{ !fromJson(steps.check.outputs.skip) }}
        uses: docker/setup-buildx-action@v3
      - name: Create variants matrix
        if: ${{ !fromJson(steps.check.outputs.skip) }}
        id: matrix
        shell: bash
        run: |
          set -e
          METADATA="$(docker buildx bake --print | jq -c)"
          {
            echo metadata="${METADATA}"
            echo variants="$(jq -c '.group.default.targets|map(sub("runner-|builder-"; ""))|unique' <<< "${METADATA}")"
            echo platforms="$(jq -c 'first(.target[]) | .platforms' <<< "${METADATA}")"
          } >> "${GITHUB_OUTPUT}"
        env:
          SHA: ${{ github.sha }}
          VERSION: ${{ (github.ref_type == 'tag' && github.ref_name) || steps.check.outputs.ref || 'dev' }}
          PHP_VERSION: ${{ steps.check.outputs.php_version }}
  build:
    runs-on: ubuntu-latest
    needs:
      - prepare
    if: ${{ !fromJson(needs.prepare.outputs.skip) }}
    strategy:
      fail-fast: false
      matrix:
        variant: ${{ fromJson(needs.prepare.outputs.variants) }}
        platform: ${{ fromJson(needs.prepare.outputs.platforms) }}
        include:
          - race: ""
            qemu: true
          - platform: linux/amd64
            qemu: false
            race: "-race" # The Go race detector is only supported on amd64
          - platform: linux/386
            qemu: false
        exclude:
          # arm/v6 is only available for Alpine: https://github.com/docker-library/golang/issues/502
          - variant: php-${{ needs.prepare.outputs.php82_version }}-bookworm
            platform: linux/arm/v6
          - variant: php-${{ needs.prepare.outputs.php83_version }}-bookworm
            platform: linux/arm/v6
    steps:
      - name: Prepare
        id: prepare
        run: |
          platform=${{ matrix.platform }}
          echo "sanitized_platform=${platform//\//-}" >> "${GITHUB_OUTPUT}"
      - uses: actions/checkout@v4
        with:
          ref: ${{ needs.prepare.outputs.ref }}
      - name: Set up QEMU
        if: matrix.qemu
        uses: docker/setup-qemu-action@v3
        with:
          platforms: ${{ matrix.platform }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          platforms: ${{ matrix.platform }}
      - name: Login to DockerHub
        if: fromJson(needs.prepare.outputs.push)
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      - name: Build
        id: build
        uses: docker/bake-action@v5
        with:
          pull: true
          load: ${{ !fromJson(needs.prepare.outputs.push) }}
          targets: |
            builder-${{ matrix.variant }}
            runner-${{ matrix.variant }}
          # Remove tags to prevent "can't push tagged ref [...] by digest" error
          set: |
            ${{ (github.event_name == 'pull_request') && '*.args.NO_COMPRESS=1' || '' }}
            *.tags=
            *.platform=${{ matrix.platform }}
            builder-${{ matrix.variant }}.cache-from=type=gha,scope=builder-${{ matrix.variant }}-${{ needs.prepare.outputs.ref || github.ref }}-${{ matrix.platform }}
            builder-${{ matrix.variant }}.cache-from=type=gha,scope=refs/heads/main-builder-${{ matrix.variant }}-${{ matrix.platform }}
            builder-${{ matrix.variant }}.cache-to=type=gha,scope=builder-${{ matrix.variant }}-${{ needs.prepare.outputs.ref || github.ref }}-${{ matrix.platform }},ignore-error=true
            runner-${{ matrix.variant }}.cache-from=type=gha,scope=runner-${{ matrix.variant }}-${{ needs.prepare.outputs.ref || github.ref }}-${{ matrix.platform }}
            runner-${{ matrix.variant }}.cache-from=type=gha,scope=refs/heads/main-runner-${{ matrix.variant }}-${{ matrix.platform }}
            runner-${{ matrix.variant }}.cache-to=type=gha,scope=runner-${{ matrix.variant }}-${{ needs.prepare.outputs.ref || github.ref }}-${{ matrix.platform }},ignore-error=true
            ${{ fromJson(needs.prepare.outputs.push) && format('*.output=type=image,name={0},push-by-digest=true,name-canonical=true,push=true', env.IMAGE_NAME) || '' }}
        env:
          SHA: ${{ github.sha }}
          VERSION: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref || 'dev' }}
          PHP_VERSION: ${{ needs.prepare.outputs.php_version }}
      - # Workaround for https://github.com/actions/runner/pull/2477#issuecomment-1501003600
        name: Export metadata
        if: fromJson(needs.prepare.outputs.push)
        run: |
          mkdir -p /tmp/metadata/builder /tmp/metadata/runner

          builderDigest=$(jq -r '."builder-${{ matrix.variant }}"."containerimage.digest"' <<< "${METADATA}")
          touch "/tmp/metadata/builder/${builderDigest#sha256:}"

          runnerDigest=$(jq -r '."runner-${{ matrix.variant }}"."containerimage.digest"' <<< "${METADATA}")
          touch "/tmp/metadata/runner/${runnerDigest#sha256:}"
        env:
          METADATA: ${{ steps.build.outputs.metadata }}
      - name: Upload builder metadata
        if: fromJson(needs.prepare.outputs.push)
        uses: actions/upload-artifact@v4
        with:
          name: metadata-builder-${{ matrix.variant }}-${{ steps.prepare.outputs.sanitized_platform }}
          path: /tmp/metadata/builder/*
          if-no-files-found: error
          retention-days: 1
      - name: Upload runner metadata
        if: fromJson(needs.prepare.outputs.push)
        uses: actions/upload-artifact@v4
        with:
          name: metadata-runner-${{ matrix.variant }}-${{ steps.prepare.outputs.sanitized_platform }}
          path: /tmp/metadata/runner/*
          if-no-files-found: error
          retention-days: 1
      - name: Run tests
        if: ${{ !matrix.qemu && !fromJson(needs.prepare.outputs.push) }}
        run: |
          docker run --platform=${{ matrix.platform }} --rm \
            "$(jq -r '."builder-${{ matrix.variant }}"."containerimage.config.digest"' <<< "${METADATA}")" \
            sh -c 'go test -tags ${{ matrix.race }} -v ./... && cd caddy && go test -tags nobadger,nomysql,nopgx ${{ matrix.race }} -v ./...'
        env:
          METADATA: ${{ steps.build.outputs.metadata }}
  # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
  push:
    runs-on: ubuntu-latest
    needs:
      - prepare
      - build
    if: fromJson(needs.prepare.outputs.push)
    strategy:
      fail-fast: false
      matrix:
        variant: ${{ fromJson(needs.prepare.outputs.variants) }}
        target: ["builder", "runner"]
    steps:
      - name: Download metadata
        uses: actions/download-artifact@v4
        with:
          pattern: metadata-${{ matrix.target }}-${{ matrix.variant }}-*
          path: /tmp/metadata
          merge-multiple: true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      - name: Create manifest list and push
        working-directory: /tmp/metadata
        run: |
          set -x
          # shellcheck disable=SC2046,SC2086
          docker buildx imagetools create $(jq -cr '.target."${{ matrix.target }}-${{ matrix.variant }}".tags | map("-t " + .) | join(" ")' <<< ${METADATA}) \
            $(printf "${IMAGE_NAME}@sha256:%s " *)
        env:
          METADATA: ${{ needs.prepare.outputs.metadata }}
      - name: Inspect image
        run: |
          # shellcheck disable=SC2046,SC2086
          docker buildx imagetools inspect $(jq -cr '.target."${{ matrix.target }}-${{ matrix.variant }}".tags | first' <<< ${METADATA})
        env:
          METADATA: ${{ needs.prepare.outputs.metadata }}