diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 3e01e034..97bed163 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -89,6 +89,7 @@ jobs: if: ${{ !fromJson(steps.check.outputs.skip) }} with: ref: ${{ steps.check.outputs.ref }} + persist-credentials: false - name: Set up Docker Buildx if: ${{ !fromJson(steps.check.outputs.skip) }} uses: docker/setup-buildx-action@v3 @@ -135,12 +136,13 @@ jobs: steps: - name: Prepare id: prepare - run: | - platform=${{ matrix.platform }} - echo "sanitized_platform=${platform//\//-}" >> "${GITHUB_OUTPUT}" + run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}" + env: + PLATFORM: ${{ matrix.platform }} - uses: actions/checkout@v5 with: ref: ${{ needs.prepare.outputs.ref }} + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: @@ -182,13 +184,14 @@ jobs: run: | mkdir -p /tmp/metadata/builder /tmp/metadata/runner - builderDigest=$(jq -r '."builder-${{ matrix.variant }}"."containerimage.digest"' <<< "${METADATA}") + builderDigest=$(jq -r ".\"builder-${VARIANT}\".\"containerimage.digest\"" <<< "${METADATA}") touch "/tmp/metadata/builder/${builderDigest#sha256:}" - runnerDigest=$(jq -r '."runner-${{ matrix.variant }}"."containerimage.digest"' <<< "${METADATA}") + runnerDigest=$(jq -r ".\"runner-${VARIANT}\".\"containerimage.digest\"" <<< "${METADATA}") touch "/tmp/metadata/runner/${runnerDigest#sha256:}" env: METADATA: ${{ steps.build.outputs.metadata }} + VARIANT: ${{ matrix.variant }} - name: Upload builder metadata if: fromJson(needs.prepare.outputs.push) uses: actions/upload-artifact@v4 @@ -208,11 +211,15 @@ jobs: - name: Run tests if: ${{ !fromJson(needs.prepare.outputs.push) }} run: | - docker run --platform=${{ matrix.platform }} --rm \ - "$(jq -r '."builder-${{ matrix.variant }}"."containerimage.config.digest"' <<< "${METADATA}")" \ - sh -c './go.sh test -tags ${{ matrix.race }} -v $(./go.sh list ./... | grep -v github.com/dunglas/frankenphp/internal/testext | grep -v github.com/dunglas/frankenphp/internal/extgen) && cd caddy && ../go.sh test ${{ matrix.race }} -v ./...' + docker run --platform="${PLATFORM}" --rm \ + "$(jq -r ".\"builder-${VARIANT}\".\"containerimage.config.digest\"" <<< "${METADATA}")" \ + sh -c "./go.sh test ${RACE} -v $(./go.sh list ./... | grep -v github.com/dunglas/frankenphp/internal/testext | grep -v github.com/dunglas/frankenphp/internal/extgen | tr '\n' ' ') && cd caddy && ../go.sh test ${RACE} -v ./..." env: METADATA: ${{ steps.build.outputs.metadata }} + PLATFORM: ${{ matrix.platform }} + VARIANT: ${{ matrix.variant }} + RACE: ${{ matrix.race }} + # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/ push: runs-on: ubuntu-24.04 @@ -245,13 +252,17 @@ jobs: run: | set -x # shellcheck disable=SC2046,SC2086 - docker buildx imagetools create $(jq -cr '.target."${{ matrix.target }}-${{ matrix.variant }}".tags | map("-t " + .) | join(" ")' <<< ${METADATA}) \ + docker buildx imagetools create $(jq -cr ".target.\"${TARGET}-${VARIANT}\".tags | map(\"-t \" + .) | join(\" \")" <<< ${METADATA}) \ $(printf "${IMAGE_NAME}@sha256:%s " *) env: METADATA: ${{ needs.prepare.outputs.metadata }} + TARGET: ${{ matrix.target }} + VARIANT: ${{ matrix.variant }} - name: Inspect image run: | # shellcheck disable=SC2046,SC2086 - docker buildx imagetools inspect $(jq -cr '.target."${{ matrix.target }}-${{ matrix.variant }}".tags | first' <<< ${METADATA}) + docker buildx imagetools inspect $(jq -cr ".target.\"${TARGET}-${VARIANT}\".tags | first" <<< ${METADATA}) env: METADATA: ${{ needs.prepare.outputs.metadata }} + TARGET: ${{ matrix.target }} + VARIANT: ${{ matrix.variant }} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 14c0e599..70ad7086 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -23,8 +23,9 @@ jobs: uses: actions/checkout@v5 with: fetch-depth: 0 + persist-credentials: false - name: Lint Code Base - uses: super-linter/super-linter/slim@v8.0.0 + uses: super-linter/super-linter/slim@v8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LINTER_RULES_PATH: / @@ -38,6 +39,7 @@ jobs: VALIDATE_PHP_PSALM: false VALIDATE_TERRAGRUNT: false VALIDATE_DOCKERFILE_HADOLINT: false + VALIDATE_TRIVY: false # Prettier and StandardJS are incompatible VALIDATE_JAVASCRIPT_PRETTIER: false VALIDATE_TYPESCRIPT_PRETTIER: false diff --git a/.github/workflows/sanitizers.yaml b/.github/workflows/sanitizers.yaml index 5754f2ee..1647ee7f 100644 --- a/.github/workflows/sanitizers.yaml +++ b/.github/workflows/sanitizers.yaml @@ -41,6 +41,8 @@ jobs: - name: Remove local PHP run: sudo apt-get remove --purge --autoremove 'php*' 'libmemcached*' - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: actions/setup-go@v5 with: go-version: "1.25" @@ -63,7 +65,7 @@ jobs: name: Compile PHP run: | mkdir php/ - curl -fsSL "${{ steps.determine-php-version.outputs.archive }}" | tar -Jx -C php --strip-components=1 + curl -fsSL "${URL}" | tar -Jx -C php --strip-components=1 cd php/ ./configure \ CFLAGS="$CFLAGS" \ @@ -93,6 +95,8 @@ jobs: --prefix="$(pwd)/target/" make -j"$(getconf _NPROCESSORS_ONLN)" make install + env: + URL: ${{ steps.determine-php-version.outputs.archive }} - name: Add PHP to the PATH run: echo "$(pwd)/php/target/bin" >> "$GITHUB_PATH" - name: Install e-dant/watcher @@ -104,6 +108,6 @@ jobs: echo "CGO_LDFLAGS=$LDFLAGS $(php-config --ldflags) $(php-config --libs)" } >> "$GITHUB_ENV" - name: Compile tests - run: go test ${{ matrix.sanitizer == 'msan' && '-tags=nowatcher' || '' }} -${{ matrix.sanitizer }} -v -x -c + run: go test ${{ matrix.sanitizer == 'msan' && '-tags=nowatcher' || '' }} -${{ matrix.sanitizer }} -v -x -c - name: Run tests run: ./frankenphp.test -test.v diff --git a/.github/workflows/static.yaml b/.github/workflows/static.yaml index fd241135..a43f474c 100644 --- a/.github/workflows/static.yaml +++ b/.github/workflows/static.yaml @@ -3,6 +3,7 @@ name: Build binary releases concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.ref }} + on: pull_request: branches: @@ -30,13 +31,14 @@ on: type: string schedule: - cron: "0 0 * * *" + permissions: - contents: write - id-token: write - attestations: write + contents: read + env: IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }} GOTOOLCHAIN: local + jobs: prepare: runs-on: ubuntu-24.04 @@ -51,7 +53,7 @@ jobs: id: check if: github.event_name == 'schedule' run: | - ref="${{ (github.ref_type == 'tag' && github.ref_name) || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}" + ref="${REF}" if [[ -z "${ref}" ]]; then ref="$(gh release view --repo dunglas/frankenphp --json tagName --jq '.tagName')" fi @@ -59,9 +61,11 @@ jobs: echo "ref=${ref}" >> "${GITHUB_OUTPUT}" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REF: ${{ (github.ref_type == 'tag' && github.ref_name) || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }} - uses: actions/checkout@v5 with: ref: ${{ steps.check.outputs.ref }} + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Create platforms matrix @@ -77,7 +81,12 @@ jobs: env: SHA: ${{ github.sha }} VERSION: ${{ steps.check.outputs.ref || 'dev' }} + build-linux-musl: + permissions: + contents: write + id-token: write + attestations: write strategy: fail-fast: false matrix: @@ -96,12 +105,13 @@ jobs: steps: - name: Prepare id: prepare - run: | - platform=${{ matrix.platform }} - echo "sanitized_platform=${platform//\//-}" >> "${GITHUB_OUTPUT}" + run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}" + env: + PLATFORM: ${{ matrix.platform }} - uses: actions/checkout@v5 with: ref: ${{ needs.prepare.outputs.ref }} + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: @@ -156,11 +166,12 @@ jobs: run: | # shellcheck disable=SC2034 digest=$(jq -r '."static-builder-musl"."${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && 'containerimage.digest' || 'containerimage.config.digest' }}"' <<< "${METADATA}") - docker create --platform=${{ matrix.platform }} --name static-builder-musl "${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && '${IMAGE_NAME}@${digest}' || '${digest}' }}" + docker create --platform="${PLATFORM}" --name static-builder-musl "${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && '${IMAGE_NAME}@${digest}' || '${digest}' }}" docker cp "static-builder-musl:/go/src/app/dist/${BINARY}" "${BINARY}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}" env: METADATA: ${{ steps.build.outputs.metadata }} BINARY: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }} + PLATFORM: ${{ matrix.platform }} - name: Upload artifact if: ${{ !fromJson(needs.prepare.outputs.push) }} uses: actions/upload-artifact@v4 @@ -169,9 +180,10 @@ jobs: path: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} - name: Upload assets if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') - run: gh release upload "${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}" frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} --repo dunglas/frankenphp --clobber + run: gh release upload "${REF}" frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} --repo dunglas/frankenphp --clobber env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }} - if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') uses: actions/attest-build-provenance@v2 with: @@ -190,6 +202,10 @@ jobs: BINARY: ./frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} build-linux-gnu: + permissions: + contents: write + id-token: write + attestations: write strategy: fail-fast: false matrix: @@ -200,12 +216,13 @@ jobs: steps: - name: Prepare id: prepare - run: | - platform=${{ matrix.platform }} - echo "sanitized_platform=${platform//\//-}" >> "${GITHUB_OUTPUT}" + run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}" + env: + PLATFORM: ${{ matrix.platform }} - uses: actions/checkout@v5 with: ref: ${{ needs.prepare.outputs.ref }} + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: @@ -259,7 +276,7 @@ jobs: run: | # shellcheck disable=SC2034 digest=$(jq -r '."static-builder-gnu"."${{ fromJson(needs.prepare.outputs.push) && 'containerimage.digest' || 'containerimage.config.digest' }}"' <<< "${METADATA}") - container_id=$(docker create --platform=${{ matrix.platform }} "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}") + container_id=$(docker create --platform="${PLATFORM}" "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}") mkdir -p gh-output cd gh-output for file in $(docker run --rm "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}" sh -c "ls /go/src/app/dist | grep '^frankenphp'"); do @@ -270,6 +287,7 @@ jobs: env: METADATA: ${{ steps.build.outputs.metadata }} BINARY: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }} + PLATFORM: ${{ matrix.platform }} - name: Upload artifact if: ${{ !fromJson(needs.prepare.outputs.push) }} uses: actions/upload-artifact@v4 @@ -278,9 +296,10 @@ jobs: path: gh-output/* - name: Upload assets if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') - run: gh release upload "${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }}" gh-output/* --repo dunglas/frankenphp --clobber + run: gh release upload "${REF}" gh-output/* --repo dunglas/frankenphp --clobber env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }} - if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') uses: actions/attest-build-provenance@v2 with: @@ -356,6 +375,10 @@ jobs: GNU_METADATA: ${{ needs.prepare.outputs.gnu_metadata }} build-mac: + permissions: + contents: write + id-token: write + attestations: write strategy: fail-fast: false matrix: @@ -369,23 +392,27 @@ jobs: - uses: actions/checkout@v5 with: ref: ${{ needs.prepare.outputs.ref }} + persist-credentials: false - uses: actions/setup-go@v5 with: go-version: "1.25" cache-dependency-path: | go.sum caddy/go.sum + cache: false - name: Set FRANKENPHP_VERSION run: | if [ "${GITHUB_REF_TYPE}" == "tag" ]; then export FRANKENPHP_VERSION=${GITHUB_REF_NAME:1} elif [ "${GITHUB_EVENT_NAME}" == "schedule" ]; then - export FRANKENPHP_VERSION="${{ needs.prepare.outputs.ref }}" + export FRANKENPHP_VERSION="${REF}" else export FRANKENPHP_VERSION=${GITHUB_SHA} fi echo "FRANKENPHP_VERSION=${FRANKENPHP_VERSION}" >> "${GITHUB_ENV}" + env: + REF: ${{ needs.prepare.outputs.ref }} - name: Build FrankenPHP run: ./build-static.sh env: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 0af5646e..9f14db31 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -38,6 +38,8 @@ jobs: LIBRARY_PATH: ${{ github.workspace }}/watcher/target/lib steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: actions/setup-go@v5 with: go-version: "1.25" @@ -99,6 +101,8 @@ jobs: HOMEBREW_NO_AUTO_UPDATE: 1 steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: actions/setup-go@v5 with: go-version: "1.25" diff --git a/zizmor.yaml b/zizmor.yaml new file mode 100644 index 00000000..bbb03663 --- /dev/null +++ b/zizmor.yaml @@ -0,0 +1,6 @@ +--- +rules: + unpinned-uses: + config: + policies: + "*": ref-pin