ci: upgrade to super-linter 6 (#952)

.github/workflows/docker.yaml

@@ -16,12 +16,15 @@ on:
       - v*.*.*
   workflow_dispatch:
     inputs:
+      #checkov:skip=CKV_GHA_7
       version:
         description: 'FrankenPHP version'
         required: false
         type: string
   schedule:
     - cron:  '0 4 * * *'
+permissions:
+  contents: read
 env:
   IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }}
 jobs:

.github/workflows/lint.yaml

@@ -7,17 +7,14 @@ on:
   push:
     branches:
       - main
-
+permissions:
+  contents: read
+  packages: read
+  statuses: write  
 jobs:
   build:
     name: Lint Code Base
     runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      packages: read
-      statuses: write
-
     steps:
       -
         name: Checkout Code
@@ -26,7 +23,7 @@ jobs:
           fetch-depth: 0
       -
         name: Lint Code Base
-        uses: super-linter/super-linter/slim@v5
+        uses: super-linter/super-linter/slim@v6.8.0
         env:
           VALIDATE_ALL_CODEBASE: true
           DEFAULT_BRANCH: main
@@ -36,7 +33,11 @@ jobs:
           VALIDATE_CPP: false
           VALIDATE_JSCPD: false
           VALIDATE_GO: false
+          VALIDATE_GO_MODULES: false
           VALIDATE_PHP_PHPCS: false
           VALIDATE_PHP_PHPSTAN: false
           VALIDATE_PHP_PSALM: false
           VALIDATE_TERRAGRUNT: false
+          # Prettier and StandardJS are incompatible
+          VALIDATE_JAVASCRIPT_PRETTIER: false
+          VALIDATE_TYPESCRIPT_PRETTIER: false

.github/workflows/static.yaml

@@ -16,12 +16,15 @@ on:
       - v*.*.*
   workflow_dispatch:
     inputs:
+      #checkov:skip=CKV_GHA_7
       version:
         description: 'FrankenPHP version'
         required: false
         type: string
   schedule:
     - cron:  '0 0 * * *'
+permissions:
+  contents: write
 env:
   IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }}    
 jobs:

.github/workflows/tests.yaml

@@ -11,6 +11,8 @@ on:
       - main
     paths-ignore:
       - 'docs/**'
+permissions:
+  contents: read
 jobs:
   tests:
     runs-on: ubuntu-latest

Dockerfile

@@ -1,4 +1,7 @@
 # syntax=docker/dockerfile:1
+#checkov:skip=CKV_DOCKER_2
+#checkov:skip=CKV_DOCKER_3
+#checkov:skip=CKV_DOCKER_7
 FROM php-base AS common
 
 WORKDIR /app

alpine.Dockerfile

@@ -1,4 +1,7 @@
 # syntax=docker/dockerfile:1
+#checkov:skip=CKV_DOCKER_2
+#checkov:skip=CKV_DOCKER_3
+#checkov:skip=CKV_DOCKER_7
 FROM php-base AS common
 
 ARG TARGETARCH

build-static.sh

@@ -3,138 +3,138 @@
 set -o errexit
 set -x
 
-if ! type "git" > /dev/null 2>&1; then
-    echo "The \"git\" command must be installed."
-    exit 1
+if ! type "git" >/dev/null 2>&1; then
+	echo "The \"git\" command must be installed."
+	exit 1
 fi
 
 arch="$(uname -m)"
 os="$(uname -s | tr '[:upper:]' '[:lower:]')"
 md5binary="md5sum"
 if [ "${os}" = "darwin" ]; then
-    os="mac"
-    md5binary="md5 -q"
+	os="mac"
+	md5binary="md5 -q"
 fi
 
-if [ "${os}" = "linux" ] && ! type "cmake" > /dev/null 2>&1; then
-    echo "The \"cmake\" command must be installed."
-    exit 1
+if [ "${os}" = "linux" ] && ! type "cmake" >/dev/null 2>&1; then
+	echo "The \"cmake\" command must be installed."
+	exit 1
 fi
 
 if [ -z "${PHP_EXTENSIONS}" ]; then
-    if [ -n "${EMBED}" ] && [ -f "${EMBED}/composer.json" ]; then
-        cd "${EMBED}"
-        PHP_EXTENSIONS="$(composer check-platform-reqs --no-dev 2>/dev/null | grep ^ext | sed -e 's/^ext-//' -e 's/ .*//' | xargs | tr ' ' ',')"
-        export PHP_EXTENSIONS
-        cd -
-    else
-        export PHP_EXTENSIONS="apcu,bcmath,bz2,calendar,ctype,curl,dba,dom,exif,fileinfo,filter,ftp,gd,gmp,gettext,iconv,igbinary,imagick,intl,ldap,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pcntl,pdo,pdo_mysql,pdo_pgsql,pdo_sqlite,pgsql,phar,posix,protobuf,readline,redis,session,shmop,simplexml,soap,sockets,sodium,sqlite3,ssh2,sysvmsg,sysvsem,sysvshm,tidy,tokenizer,xlswriter,xml,xmlreader,xmlwriter,zip,zlib,yaml,zstd"
-    fi
+	if [ -n "${EMBED}" ] && [ -f "${EMBED}/composer.json" ]; then
+		cd "${EMBED}"
+		PHP_EXTENSIONS="$(composer check-platform-reqs --no-dev 2>/dev/null | grep ^ext | sed -e 's/^ext-//' -e 's/ .*//' | xargs | tr ' ' ',')"
+		export PHP_EXTENSIONS
+		cd -
+	else
+		export PHP_EXTENSIONS="apcu,bcmath,bz2,calendar,ctype,curl,dba,dom,exif,fileinfo,filter,ftp,gd,gmp,gettext,iconv,igbinary,imagick,intl,ldap,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pcntl,pdo,pdo_mysql,pdo_pgsql,pdo_sqlite,pgsql,phar,posix,protobuf,readline,redis,session,shmop,simplexml,soap,sockets,sodium,sqlite3,ssh2,sysvmsg,sysvsem,sysvshm,tidy,tokenizer,xlswriter,xml,xmlreader,xmlwriter,zip,zlib,yaml,zstd"
+	fi
 fi
 
 if [ -z "${PHP_EXTENSION_LIBS}" ]; then
-    export PHP_EXTENSION_LIBS="bzip2,freetype,libavif,libjpeg,liblz4,libwebp,libzip"
+	export PHP_EXTENSION_LIBS="bzip2,freetype,libavif,libjpeg,liblz4,libwebp,libzip"
 fi
 
 # The Brotli library must always be built as it is required by http://github.com/dunglas/caddy-cbrotli
 if ! echo "${PHP_EXTENSION_LIBS}" | grep -q "\bbrotli\b"; then
-    export PHP_EXTENSION_LIBS="${PHP_EXTENSION_LIBS},brotli"
+	export PHP_EXTENSION_LIBS="${PHP_EXTENSION_LIBS},brotli"
 fi
 
 if [ -z "${PHP_VERSION}" ]; then
-    export PHP_VERSION="8.3"
+	export PHP_VERSION="8.3"
 fi
 
 if [ -z "${FRANKENPHP_VERSION}" ]; then
-    FRANKENPHP_VERSION="$(git rev-parse --verify HEAD)"
-    export FRANKENPHP_VERSION
+	FRANKENPHP_VERSION="$(git rev-parse --verify HEAD)"
+	export FRANKENPHP_VERSION
 elif [ -d ".git/" ]; then
-    CURRENT_REF="$(git rev-parse --abbrev-ref HEAD)"
-    export CURRENT_REF
+	CURRENT_REF="$(git rev-parse --abbrev-ref HEAD)"
+	export CURRENT_REF
 
-    if echo "${FRANKENPHP_VERSION}" | grep -F -q "."; then
-        # Tag
+	if echo "${FRANKENPHP_VERSION}" | grep -F -q "."; then
+		# Tag
 
-        # Trim "v" prefix if any
-        FRANKENPHP_VERSION=${FRANKENPHP_VERSION#v}
-        export FRANKENPHP_VERSION
+		# Trim "v" prefix if any
+		FRANKENPHP_VERSION=${FRANKENPHP_VERSION#v}
+		export FRANKENPHP_VERSION
 
-        git checkout "v${FRANKENPHP_VERSION}"
-    else
-        git checkout "${FRANKENPHP_VERSION}"
-    fi
+		git checkout "v${FRANKENPHP_VERSION}"
+	else
+		git checkout "${FRANKENPHP_VERSION}"
+	fi
 fi
 
 bin="frankenphp-${os}-${arch}"
 
 if [ -n "${CLEAN}" ]; then
-    rm -Rf dist/
-    go clean -cache
+	rm -Rf dist/
+	go clean -cache
 fi
 
 # Build libphp if necessary
 if [ -f "dist/static-php-cli/buildroot/lib/libphp.a" ]; then
-    cd dist/static-php-cli
+	cd dist/static-php-cli
 else
-    mkdir -p dist/
-    cd dist/
+	mkdir -p dist/
+	cd dist/
 
-    if [ -d "static-php-cli/" ]; then
-        cd static-php-cli/
-        git pull
-    else
-        git clone --depth 1 https://github.com/crazywhalecc/static-php-cli
-        cd static-php-cli/
-    fi
+	if [ -d "static-php-cli/" ]; then
+		cd static-php-cli/
+		git pull
+	else
+		git clone --depth 1 https://github.com/crazywhalecc/static-php-cli
+		cd static-php-cli/
+	fi
 
-    if type "brew" > /dev/null 2>&1; then
-        if ! type "composer" > /dev/null; then
-            packages="composer"
-        fi
-        if ! type "go" > /dev/null; then
-            packages="${packages} go"
-        fi
-        if [ -n "${RELEASE}" ] && ! type "gh" > /dev/null 2>&1; then
-            packages="${packages} gh"
-        fi
+	if type "brew" >/dev/null 2>&1; then
+		if ! type "composer" >/dev/null; then
+			packages="composer"
+		fi
+		if ! type "go" >/dev/null; then
+			packages="${packages} go"
+		fi
+		if [ -n "${RELEASE}" ] && ! type "gh" >/dev/null 2>&1; then
+			packages="${packages} gh"
+		fi
 
-        if [ -n "${packages}" ]; then
-            # shellcheck disable=SC2086
-            brew install --formula --quiet ${packages}
-        fi
-    fi
+		if [ -n "${packages}" ]; then
+			# shellcheck disable=SC2086
+			brew install --formula --quiet ${packages}
+		fi
+	fi
 
-    composer install --no-dev -a
+	composer install --no-dev -a
 
-    if [ "${os}" = "linux" ]; then
-        extraOpts="--disable-opcache-jit"
-    fi
+	if [ "${os}" = "linux" ]; then
+		extraOpts="--disable-opcache-jit"
+	fi
 
-    if [ -n "${DEBUG_SYMBOLS}" ]; then
-        extraOpts="${extraOpts} --no-strip"
-    fi
+	if [ -n "${DEBUG_SYMBOLS}" ]; then
+		extraOpts="${extraOpts} --no-strip"
+	fi
 
-    ./bin/spc doctor --auto-fix
-    ./bin/spc download --with-php="${PHP_VERSION}" --for-extensions="${PHP_EXTENSIONS}" --for-libs="${PHP_EXTENSION_LIBS}" --ignore-cache-sources=php-src --prefer-pre-built
-    # shellcheck disable=SC2086
-    ./bin/spc build --debug --enable-zts --build-embed ${extraOpts} "${PHP_EXTENSIONS}" --with-libs="${PHP_EXTENSION_LIBS}"
+	./bin/spc doctor --auto-fix
+	./bin/spc download --with-php="${PHP_VERSION}" --for-extensions="${PHP_EXTENSIONS}" --for-libs="${PHP_EXTENSION_LIBS}" --ignore-cache-sources=php-src --prefer-pre-built
+	# shellcheck disable=SC2086
+	./bin/spc build --debug --enable-zts --build-embed ${extraOpts} "${PHP_EXTENSIONS}" --with-libs="${PHP_EXTENSION_LIBS}"
 fi
 
 CGO_CFLAGS="-DFRANKENPHP_VERSION=${FRANKENPHP_VERSION} -I${PWD}/buildroot/include/ $(./buildroot/bin/php-config --includes | sed s#-I/#-I"${PWD}"/buildroot/#g)"
 if [ -n "${DEBUG_SYMBOLS}" ]; then
-    CGO_CFLAGS="-g ${CGO_CFLAGS}"
+	CGO_CFLAGS="-g ${CGO_CFLAGS}"
 fi
 export CGO_CFLAGS
 
 if [ "${os}" = "mac" ]; then
-    export CGO_LDFLAGS="-framework CoreFoundation -framework SystemConfiguration"
+	export CGO_LDFLAGS="-framework CoreFoundation -framework SystemConfiguration"
 fi
 
 CGO_LDFLAGS="${CGO_LDFLAGS} ${PWD}/buildroot/lib/libbrotlicommon.a ${PWD}/buildroot/lib/libbrotlienc.a ${PWD}/buildroot/lib/libbrotlidec.a $(./buildroot/bin/php-config --ldflags || true) $(./buildroot/bin/php-config --libs || true)"
 if [ "${os}" = "linux" ]; then
-    if echo "${PHP_EXTENSIONS}" | grep -qE "\b(intl|imagick|grpc|v8js|protobuf|mongodb|tbb)\b"; then
-        CGO_LDFLAGS="${CGO_LDFLAGS} -lstdc++"
-    fi
+	if echo "${PHP_EXTENSIONS}" | grep -qE "\b(intl|imagick|grpc|v8js|protobuf|mongodb|tbb)\b"; then
+		CGO_LDFLAGS="${CGO_LDFLAGS} -lstdc++"
+	fi
 fi
 export CGO_LDFLAGS
 
@@ -144,92 +144,91 @@ export LIBPHP_VERSION
 cd ../
 
 if [ "${os}" = "linux" ]; then
-    if  [ -n "${MIMALLOC}" ]; then
-        # Replace musl's mallocng by mimalloc
-        # The default musl allocator is slow, especially when used by multi-threaded apps,
-        # and triggers weird bugs
-        # Adapted from https://www.tweag.io/blog/2023-08-10-rust-static-link-with-mimalloc/
+	if [ -n "${MIMALLOC}" ]; then
+		# Replace musl's mallocng by mimalloc
+		# The default musl allocator is slow, especially when used by multi-threaded apps,
+		# and triggers weird bugs
+		# Adapted from https://www.tweag.io/blog/2023-08-10-rust-static-link-with-mimalloc/
 
-        echo 'The USE_MIMALLOC environment variable is EXPERIMENTAL.'
-        echo 'This option can be removed or its behavior modified at any time.'
+		echo 'The USE_MIMALLOC environment variable is EXPERIMENTAL.'
+		echo 'This option can be removed or its behavior modified at any time.'
 
-        if [ ! -f "mimalloc/out/libmimalloc.a" ]; then
-            if [ -d "mimalloc" ]; then
-                cd mimalloc/
-                git reset --hard
-                git clean -xdf
-                git fetch --tags
-            else
-                git clone https://github.com/microsoft/mimalloc.git
-                cd mimalloc/
-            fi
+		if [ ! -f "mimalloc/out/libmimalloc.a" ]; then
+			if [ -d "mimalloc" ]; then
+				cd mimalloc/
+				git reset --hard
+				git clean -xdf
+				git fetch --tags
+			else
+				git clone https://github.com/microsoft/mimalloc.git
+				cd mimalloc/
+			fi
 
-            git checkout "$(git describe --tags "$(git rev-list --tags --max-count=1 || true)" || true)"
+			git checkout "$(git describe --tags "$(git rev-list --tags --max-count=1 || true)" || true)"
 
-            curl -f -L --retry 5 https://raw.githubusercontent.com/tweag/rust-alpine-mimalloc/b26002b49d466a295ea8b50828cb7520a71a872a/mimalloc.diff -o mimalloc.diff
-            patch -p1 < mimalloc.diff
+			curl -f -L --retry 5 https://raw.githubusercontent.com/tweag/rust-alpine-mimalloc/b26002b49d466a295ea8b50828cb7520a71a872a/mimalloc.diff -o mimalloc.diff
+			patch -p1 <mimalloc.diff
 
-            mkdir -p out/
-            cd out/
-            if [ -n "${DEBUG_SYMBOLS}" ]; then
-                cmake \
-                    -DCMAKE_BUILD_TYPE=Debug \
-                    -DMI_BUILD_SHARED=OFF \
-                    -DMI_BUILD_OBJECT=OFF \
-                    -DMI_BUILD_TESTS=OFF \
-                    ../
-            else
-                cmake \
-                    -DCMAKE_BUILD_TYPE=Release \
-                    -DMI_BUILD_SHARED=OFF \
-                    -DMI_BUILD_OBJECT=OFF \
-                    -DMI_BUILD_TESTS=OFF \
-                    ../
-            fi
-            make -j"$(nproc || true)"
+			mkdir -p out/
+			cd out/
+			if [ -n "${DEBUG_SYMBOLS}" ]; then
+				cmake \
+					-DCMAKE_BUILD_TYPE=Debug \
+					-DMI_BUILD_SHARED=OFF \
+					-DMI_BUILD_OBJECT=OFF \
+					-DMI_BUILD_TESTS=OFF \
+					../
+			else
+				cmake \
+					-DCMAKE_BUILD_TYPE=Release \
+					-DMI_BUILD_SHARED=OFF \
+					-DMI_BUILD_OBJECT=OFF \
+					-DMI_BUILD_TESTS=OFF \
+					../
+			fi
+			make -j"$(nproc || true)"
 
-            cd ../../
-        fi
+			cd ../../
+		fi
 
-        if [ -n "${DEBUG_SYMBOLS}" ]; then
-            libmimalloc_path=mimalloc/out/libmimalloc-debug.a
-        else
-            libmimalloc_path=mimalloc/out/libmimalloc.a
-        fi
+		if [ -n "${DEBUG_SYMBOLS}" ]; then
+			libmimalloc_path=mimalloc/out/libmimalloc-debug.a
+		else
+			libmimalloc_path=mimalloc/out/libmimalloc.a
+		fi
 
-        # Patch musl library to use mimalloc
-        for libc_path in "/usr/local/musl/lib/libc.a" "/usr/local/musl/$(uname -m)-linux-musl/lib/libc.a" "/usr/lib/libc.a"
-        do
-            if [ ! -f "${libc_path}" ] || [ -f "${libc_path}.unpatched" ]; then
-                continue
-            fi
+		# Patch musl library to use mimalloc
+		for libc_path in "/usr/local/musl/lib/libc.a" "/usr/local/musl/$(uname -m)-linux-musl/lib/libc.a" "/usr/lib/libc.a"; do
+			if [ ! -f "${libc_path}" ] || [ -f "${libc_path}.unpatched" ]; then
+				continue
+			fi
 
-            {
-                echo "CREATE libc.a"
-                echo "ADDLIB ${libc_path}"
-                echo "DELETE aligned_alloc.lo calloc.lo donate.lo free.lo libc_calloc.lo lite_malloc.lo malloc.lo malloc_usable_size.lo memalign.lo posix_memalign.lo realloc.lo reallocarray.lo valloc.lo"
-                echo "ADDLIB ${libmimalloc_path}"
-                echo "SAVE"
-            } | ar -M
-            mv "${libc_path}" "${libc_path}.unpatched"
-            mv libc.a "${libc_path}"
-        done
-    fi
+			{
+				echo "CREATE libc.a"
+				echo "ADDLIB ${libc_path}"
+				echo "DELETE aligned_alloc.lo calloc.lo donate.lo free.lo libc_calloc.lo lite_malloc.lo malloc.lo malloc_usable_size.lo memalign.lo posix_memalign.lo realloc.lo reallocarray.lo valloc.lo"
+				echo "ADDLIB ${libmimalloc_path}"
+				echo "SAVE"
+			} | ar -M
+			mv "${libc_path}" "${libc_path}.unpatched"
+			mv libc.a "${libc_path}"
+		done
+	fi
 
-    # Increase the default stack size to prevents issues with code including many files such as Symfony containers
-    extraExtldflags="-Wl,-z,stack-size=0x80000"
+	# Increase the default stack size to prevents issues with code including many files such as Symfony containers
+	extraExtldflags="-Wl,-z,stack-size=0x80000"
 fi
 
 if [ -z "${DEBUG_SYMBOLS}" ]; then
-    extraLdflags="-w -s"
+	extraLdflags="-w -s"
 fi
 
 cd ../
 
 # Embed PHP app, if any
 if [ -n "${EMBED}" ] && [ -d "${EMBED}" ]; then
-    tar -cf app.tar -C "${EMBED}" .
-    ${md5binary} app.tar | awk '{printf $1}' > app_checksum.txt
+	tar -cf app.tar -C "${EMBED}" .
+	${md5binary} app.tar | awk '{printf $1}' >app_checksum.txt
 fi
 
 cd caddy/frankenphp/
@@ -238,20 +237,20 @@ go build -buildmode=pie -tags "cgo netgo osusergo static_build" -ldflags "-linkm
 cd ../..
 
 if [ -d "${EMBED}" ]; then
-    truncate -s 0 app.tar
-    truncate -s 0 app_checksum.txt
+	truncate -s 0 app.tar
+	truncate -s 0 app_checksum.txt
 fi
 
-if type "upx" > /dev/null 2>&1 && [ -z "${DEBUG_SYMBOLS}" ] && [ -z "${NO_COMPRESS}" ]; then
-    upx --best "dist/${bin}"
+if type "upx" >/dev/null 2>&1 && [ -z "${DEBUG_SYMBOLS}" ] && [ -z "${NO_COMPRESS}" ]; then
+	upx --best "dist/${bin}"
 fi
 
 "dist/${bin}" version
 
 if [ -n "${RELEASE}" ]; then
-    gh release upload "v${FRANKENPHP_VERSION}" "dist/${bin}" --repo dunglas/frankenphp --clobber
+	gh release upload "v${FRANKENPHP_VERSION}" "dist/${bin}" --repo dunglas/frankenphp --clobber
 fi
 
 if [ -n "${CURRENT_REF}" ]; then
-    git checkout "${CURRENT_REF}"
+	git checkout "${CURRENT_REF}"
 fi

dev-alpine.Dockerfile

@@ -1,4 +1,6 @@
 # syntax=docker/dockerfile:1
+#checkov:skip=CKV_DOCKER_2
+#checkov:skip=CKV_DOCKER_3
 FROM golang:1.22-alpine
 
 ENV CFLAGS="-ggdb3"

dev.Dockerfile

@@ -1,4 +1,6 @@
 # syntax=docker/dockerfile:1
+#checkov:skip=CKV_DOCKER_2
+#checkov:skip=CKV_DOCKER_3
 FROM golang:1.22
 
 ENV CFLAGS="-ggdb3"

release.sh

@@ -9,25 +9,25 @@ set -o errtrace
 set -o pipefail
 set -o xtrace
 
-if ! type "git" > /dev/null; then
-    echo "The \"git\" command must be installed."
-    exit 1
+if ! type "git" >/dev/null; then
+	echo "The \"git\" command must be installed."
+	exit 1
 fi
 
-if ! type "gh" > /dev/null; then
-    echo "The \"gh\" command must be installed."
-    exit 1
+if ! type "gh" >/dev/null; then
+	echo "The \"gh\" command must be installed."
+	exit 1
 fi
 
 if [[ $# -ne 1 ]]; then
-    echo "Usage: ./release.sh version" >&2
-    exit 1
+	echo "Usage: ./release.sh version" >&2
+	exit 1
 fi
 
 # Adapted from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string
 if [[ ! $1 =~ ^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(\+([0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*))?$ ]]; then
-    echo "Invalid version number: $1" >&2
-    exit 1
+	echo "Invalid version number: $1" >&2
+	exit 1
 fi
 
 git checkout main
@@ -44,6 +44,6 @@ git tag -s -m "Version $1" "caddy/v$1"
 git push --follow-tags
 
 tags=$(git tag --list --sort=-version:refname 'v*')
-previous_tag=$(awk 'NR==2 {print;exit}' <<< "${tags}")
+previous_tag=$(awk 'NR==2 {print;exit}' <<<"${tags}")
 
 gh release create --draft --generate-notes --latest --notes-start-tag "${previous_tag}" --verify-tag "v$1"

reload_test.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
-for ((i = 0 ; i < 100 ; i++)); do
-    curl --no-progress-meter -o /dev/null http://localhost:2019/config/apps/frankenphp -: --no-progress-meter -o /dev/null -H 'Cache-Control: must-revalidate' -H 'Content-Type: application/json' --data-binary '{"workers":[{"file_name":"./index.php"}]}' -X PATCH http://localhost:2019/config/apps/frankenphp
+for ((i = 0; i < 100; i++)); do
+	curl --no-progress-meter -o /dev/null http://localhost:2019/config/apps/frankenphp -: --no-progress-meter -o /dev/null -H 'Cache-Control: must-revalidate' -H 'Content-Type: application/json' --data-binary '{"workers":[{"file_name":"./index.php"}]}' -X PATCH http://localhost:2019/config/apps/frankenphp
 done

static-builder.Dockerfile

@@ -1,4 +1,7 @@
 # syntax=docker/dockerfile:1
+#checkov:skip=CKV_DOCKER_2
+#checkov:skip=CKV_DOCKER_3
+#checkov:skip=CKV_DOCKER_7
 FROM golang-base
 
 ARG TARGETARCH