Build and Push PHP-FPM Images #53

Workflow file for this run

.github/workflows/build-php-fpm.yml at 970ec4b

	name: Build and Push PHP-FPM Images

	# IMPORTANT: This workflow depends on php-base tier images being available.
	# Do NOT add push triggers for php-fpm/** paths - this would cause race conditions
	# where php-fpm tries to build before php-base images are pushed.
	# Instead, use repository_dispatch from php-base workflow or workflow_dispatch.

	on:
	# NO push trigger - php-fpm depends on php-base images being built first
	# Use repository_dispatch from php-base workflow instead
	workflow_dispatch:
	inputs:
	php_version:
	description: 'PHP Version to build (8.2, 8.3, 8.4, or all)'
	required: false
	default: 'all'
	os_variant:
	description: 'OS variant to build (bookworm or all)'
	required: false
	default: 'all'
	repository_dispatch:
	types: [php-base-updated]
	workflow_run:
	workflows: ["Build and Push PHP-Base Images"]
	types: [completed]
	branches: [main]
	schedule:
	# Weekly security rebuild - Monday 02:00 UTC (fallback; workflow_run trigger fires on completion)
	- cron: '0 2 * * 1'

	jobs:
	# ═══════════════════════════════════════════════════════════════════════════
	# SLIM TIER - Minimal PHP + essential extensions
	# ═══════════════════════════════════════════════════════════════════════════
	build-slim-matrix:
	if: ${{ github.event.workflow_run.conclusion == 'success' \|\| github.event_name != 'workflow_run' }}
	strategy:
	fail-fast: false
	matrix:
	php_version: ['8.2', '8.3', '8.4', '8.5']
	os_variant: ['bookworm']
	uses: ./.github/workflows/_build-image.yml
	with:
	image-name: php-fpm
	image-type: php-fpm
	php-version: ${{ matrix.php_version }}
	os-variant: ${{ matrix.os_variant }}
	tier: slim
	target: slim-root
	tag-suffix: slim
	cache-scope-prefix: fpm
	enable-patch-tags: true
	enable-latest-tag: true
	enable-cosign: true
	base-image-type: fpm
	test-script: \|
	echo "Testing slim image $IMAGE..."
	docker run --rm $IMAGE php -v
	docker run --rm $IMAGE php -m \| grep -E "opcache\|redis\|pdo_mysql\|gd"
	docker run --rm $IMAGE composer --version
	docker run --rm $IMAGE cbox-init --version
	# Slim tier should NOT have imagick or node
	! docker run --rm $IMAGE php -m \| grep -q imagick \|\| echo "Warning: imagick found in slim tier"
	! docker run --rm $IMAGE node --version 2>/dev/null \|\| echo "Warning: node found in slim tier"
	secrets: inherit

	build-slim-rootless-matrix:
	if: ${{ github.event.workflow_run.conclusion == 'success' \|\| github.event_name != 'workflow_run' }}
	strategy:
	fail-fast: false
	matrix:
	php_version: ['8.2', '8.3', '8.4', '8.5']
	os_variant: ['bookworm']
	uses: ./.github/workflows/_build-image.yml
	with:
	image-name: php-fpm
	image-type: php-fpm
	php-version: ${{ matrix.php_version }}
	os-variant: ${{ matrix.os_variant }}
	tier: slim
	target: slim-rootless
	rootless: true
	tag-suffix: slim-rootless
	cache-scope-prefix: fpm
	enable-patch-tags: true
	enable-latest-tag: true
	enable-cosign: true
	base-image-type: fpm
	test-script: \|
	echo "Testing slim rootless image $IMAGE..."
	# Verify running as non-root (www-data = uid 33 on Debian Bookworm)
	docker run --rm $IMAGE id -u \| grep -E "^33$"
	docker run --rm $IMAGE php -v
	docker run --rm $IMAGE composer --version
	secrets: inherit

	# ═══════════════════════════════════════════════════════════════════════════
	# STANDARD TIER (DEFAULT) - + ImageMagick, vips, Node.js
	# ═══════════════════════════════════════════════════════════════════════════
	build-matrix:
	if: ${{ github.event.workflow_run.conclusion == 'success' \|\| github.event_name != 'workflow_run' }}
	strategy:
	fail-fast: false
	matrix:
	php_version: ['8.2', '8.3', '8.4', '8.5']
	os_variant: ['bookworm']
	uses: ./.github/workflows/_build-image.yml
	with:
	image-name: php-fpm
	image-type: php-fpm
	php-version: ${{ matrix.php_version }}
	os-variant: ${{ matrix.os_variant }}
	tier: standard
	target: root
	tag-suffix: ''
	cache-scope-prefix: fpm
	enable-patch-tags: true
	enable-latest-tag: true
	enable-cosign: true
	base-image-type: fpm
	test-script: \|
	echo "Testing $IMAGE..."
	docker run --rm $IMAGE php -v
	docker run --rm $IMAGE php -m \| grep -E "opcache\|redis\|pdo_mysql\|gd\|imagick"
	docker run --rm $IMAGE composer --version
	docker run --rm $IMAGE node --version
	docker run --rm $IMAGE cbox-init --version
	secrets: inherit

	build-rootless-matrix:
	if: ${{ github.event.workflow_run.conclusion == 'success' \|\| github.event_name != 'workflow_run' }}
	strategy:
	fail-fast: false
	matrix:
	php_version: ['8.2', '8.3', '8.4', '8.5']
	os_variant: ['bookworm']
	uses: ./.github/workflows/_build-image.yml
	with:
	image-name: php-fpm
	image-type: php-fpm
	php-version: ${{ matrix.php_version }}
	os-variant: ${{ matrix.os_variant }}
	tier: standard
	target: rootless
	rootless: true
	tag-suffix: rootless
	cache-scope-prefix: fpm
	enable-patch-tags: true
	enable-latest-tag: true
	enable-cosign: true
	base-image-type: fpm
	test-script: \|
	echo "Testing rootless image $IMAGE..."
	# Verify running as non-root (www-data = uid 33 on Debian Bookworm)
	docker run --rm $IMAGE id -u \| grep -E "^33$"
	docker run --rm $IMAGE php -v
	docker run --rm $IMAGE php -m \| grep -E "opcache\|redis\|pdo_mysql\|gd\|imagick"
	docker run --rm $IMAGE composer --version
	docker run --rm $IMAGE node --version
	docker run --rm $IMAGE cbox-init --version
	secrets: inherit

	# ═══════════════════════════════════════════════════════════════════════════
	# CHROMIUM TIER - + Chromium for Browsershot/Dusk/Puppeteer
	# ═══════════════════════════════════════════════════════════════════════════
	build-chromium-matrix:
	if: ${{ github.event.workflow_run.conclusion == 'success' \|\| github.event_name != 'workflow_run' }}
	strategy:
	fail-fast: false
	matrix:
	php_version: ['8.2', '8.3', '8.4', '8.5']
	os_variant: ['bookworm']
	uses: ./.github/workflows/_build-image.yml
	with:
	image-name: php-fpm
	image-type: php-fpm
	php-version: ${{ matrix.php_version }}
	os-variant: ${{ matrix.os_variant }}
	tier: chromium
	target: chromium-root
	tag-suffix: chromium
	cache-scope-prefix: fpm
	enable-patch-tags: true
	enable-latest-tag: true
	enable-cosign: true
	base-image-type: fpm
	test-script: \|
	echo "Testing chromium image $IMAGE..."
	docker run --rm $IMAGE php -v
	docker run --rm $IMAGE php -m \| grep -E "opcache\|redis\|pdo_mysql\|gd\|imagick"
	docker run --rm $IMAGE composer --version
	docker run --rm $IMAGE node --version
	docker run --rm $IMAGE cbox-init --version
	# Chromium tier should have chromium
	docker run --rm $IMAGE which chromium-browser \|\| docker run --rm $IMAGE which chromium
	secrets: inherit

	build-chromium-rootless-matrix:
	if: ${{ github.event.workflow_run.conclusion == 'success' \|\| github.event_name != 'workflow_run' }}
	strategy:
	fail-fast: false
	matrix:
	php_version: ['8.2', '8.3', '8.4', '8.5']
	os_variant: ['bookworm']
	uses: ./.github/workflows/_build-image.yml
	with:
	image-name: php-fpm
	image-type: php-fpm
	php-version: ${{ matrix.php_version }}
	os-variant: ${{ matrix.os_variant }}
	tier: chromium
	target: chromium-rootless
	rootless: true
	tag-suffix: chromium-rootless
	cache-scope-prefix: fpm
	enable-patch-tags: true
	enable-latest-tag: true
	enable-cosign: true
	base-image-type: fpm
	test-script: \|
	echo "Testing chromium rootless image $IMAGE..."
	# Verify running as non-root
	docker run --rm $IMAGE id -u \| grep -E "^(33\|82)$"
	docker run --rm $IMAGE php -v
	docker run --rm $IMAGE php -m \| grep -E "opcache\|redis\|pdo_mysql\|gd\|imagick"
	docker run --rm $IMAGE composer --version
	docker run --rm $IMAGE node --version
	# Chromium check
	docker run --rm $IMAGE which chromium-browser \|\| docker run --rm $IMAGE which chromium
	secrets: inherit

	# ═══════════════════════════════════════════════════════════════════════════
	# DEV TIER - Standard + Xdebug, PCOV, SPX for development/testing
	# ═══════════════════════════════════════════════════════════════════════════
	build-dev-matrix:
	if: ${{ github.event.workflow_run.conclusion == 'success' \|\| github.event_name != 'workflow_run' }}
	strategy:
	fail-fast: false
	matrix:
	php_version: ['8.2', '8.3', '8.4', '8.5']
	os_variant: ['bookworm']
	uses: ./.github/workflows/_build-image.yml
	with:
	image-name: php-fpm
	image-type: php-fpm
	php-version: ${{ matrix.php_version }}
	os-variant: ${{ matrix.os_variant }}
	tier: dev
	target: dev-root
	tag-suffix: dev
	cache-scope-prefix: fpm
	enable-patch-tags: true
	enable-latest-tag: true
	enable-cosign: true
	base-image-type: fpm
	test-script: \|
	echo "Testing dev image $IMAGE..."
	docker run --rm $IMAGE php -v
	docker run --rm $IMAGE php -m \| grep -E "opcache\|redis\|pdo_mysql\|gd\|imagick\|xdebug\|pcov\|spx"
	docker run --rm $IMAGE composer --version
	docker run --rm $IMAGE node --version
	docker run --rm $IMAGE cbox-init --version
	# Dev tier should have chromium (inherited from chromium tier)
	docker run --rm $IMAGE which chromium-browser \|\| docker run --rm $IMAGE which chromium
	secrets: inherit

	build-dev-rootless-matrix:
	if: ${{ github.event.workflow_run.conclusion == 'success' \|\| github.event_name != 'workflow_run' }}
	strategy:
	fail-fast: false
	matrix:
	php_version: ['8.2', '8.3', '8.4', '8.5']
	os_variant: ['bookworm']
	uses: ./.github/workflows/_build-image.yml
	with:
	image-name: php-fpm
	image-type: php-fpm
	php-version: ${{ matrix.php_version }}
	os-variant: ${{ matrix.os_variant }}
	tier: dev
	target: dev-rootless
	rootless: true
	tag-suffix: dev-rootless
	cache-scope-prefix: fpm
	enable-patch-tags: true
	enable-latest-tag: true
	enable-cosign: true
	base-image-type: fpm
	test-script: \|
	echo "Testing dev rootless image $IMAGE..."
	# Verify running as non-root
	docker run --rm $IMAGE id -u \| grep -E "^(33\|82)$"
	docker run --rm $IMAGE php -v
	docker run --rm $IMAGE php -m \| grep -E "xdebug\|pcov\|spx"
	secrets: inherit

	# ═══════════════════════════════════════════════════════════════════════════
	# Trigger dependent image builds after php-fpm completes
	# ═══════════════════════════════════════════════════════════════════════════
	trigger-dependent-builds:
	needs: [build-slim-matrix, build-slim-rootless-matrix, build-matrix, build-rootless-matrix, build-chromium-matrix, build-chromium-rootless-matrix, build-dev-matrix, build-dev-rootless-matrix]
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
	runs-on: [self-hosted, linux, ax41]
	permissions:
	contents: write
	steps:
	- name: Trigger php-fpm-nginx build
	uses: peter-evans/repository-dispatch@v2
	with:
	event-type: php-fpm-updated

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build and Push PHP-FPM Images #53

Workflow file

Build and Push PHP-FPM Images #53

Uh oh!

Workflow file for this run