fix: document cbox-init Management API and fix env var inconsistencies #30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integration Tests | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| framework-detection-tests: | |
| name: Framework Detection Tests | |
| runs-on: [self-hosted, linux, ax41] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run unit tests | |
| run: | | |
| chmod +x tests/integration/framework-detection/test-runner.sh | |
| ./tests/integration/framework-detection/test-runner.sh | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Read Cbox Init version | |
| id: versions | |
| run: | | |
| echo "CBOX_INIT_VERSION=$(jq -r '.tools.cbox_init' versions.json)" >> $GITHUB_OUTPUT | |
| - name: Download and verify Cbox Init binaries | |
| run: | | |
| mkdir -p cbox-init/binaries | |
| VERSION="${{ steps.versions.outputs.CBOX_INIT_VERSION }}" | |
| BASE_URL="https://github.com/cboxdk/init/releases/download/v${VERSION}" | |
| echo "Downloading Cbox Init v${VERSION}..." | |
| curl -fsSL "${BASE_URL}/cbox-init-linux-amd64" -o cbox-init/binaries/cbox-init-linux-amd64 | |
| curl -fsSL "${BASE_URL}/cbox-init-linux-arm64" -o cbox-init/binaries/cbox-init-linux-arm64 | |
| curl -fsSL "${BASE_URL}/checksums.txt" -o cbox-init/binaries/checksums.txt | |
| echo "Verifying SHA256 checksums..." | |
| cd cbox-init/binaries | |
| grep -E "cbox-init-linux-(amd64|arm64)$" checksums.txt | sha256sum -c - | |
| cd - | |
| chmod +x cbox-init/binaries/cbox-init-* | |
| - name: Build image chain (php-base → php-fpm → php-fpm-nginx) | |
| run: | | |
| echo "=== Building Bookworm chain ===" | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t ghcr.io/cboxdk/php-baseimages/php-base:8.3-bookworm -f php-base/Dockerfile . | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t ghcr.io/cboxdk/php-baseimages/php-fpm:8.3-bookworm -f php-fpm/Dockerfile . | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t ghcr.io/cboxdk/php-baseimages/php-fpm-nginx:8.3-bookworm -f php-fpm-nginx/Dockerfile . | |
| - name: Run Docker integration tests | |
| run: | | |
| chmod +x tests/integration/framework-detection/docker-test.sh | |
| ./tests/integration/framework-detection/docker-test.sh | |
| - name: Upload test results | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: test-results | |
| path: tests/integration/framework-detection/fixtures/ | |
| performance-benchmarks: | |
| name: Performance Benchmarks | |
| runs-on: [self-hosted, linux, ax41] | |
| needs: framework-detection-tests | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Read Cbox Init version | |
| id: versions | |
| run: | | |
| echo "CBOX_INIT_VERSION=$(jq -r '.tools.cbox_init' versions.json)" >> $GITHUB_OUTPUT | |
| - name: Download and verify Cbox Init binaries | |
| run: | | |
| mkdir -p cbox-init/binaries | |
| VERSION="${{ steps.versions.outputs.CBOX_INIT_VERSION }}" | |
| BASE_URL="https://github.com/cboxdk/init/releases/download/v${VERSION}" | |
| echo "Downloading Cbox Init v${VERSION}..." | |
| curl -fsSL "${BASE_URL}/cbox-init-linux-amd64" -o cbox-init/binaries/cbox-init-linux-amd64 | |
| curl -fsSL "${BASE_URL}/cbox-init-linux-arm64" -o cbox-init/binaries/cbox-init-linux-arm64 | |
| curl -fsSL "${BASE_URL}/checksums.txt" -o cbox-init/binaries/checksums.txt | |
| echo "Verifying SHA256 checksums..." | |
| cd cbox-init/binaries | |
| grep -E "cbox-init-linux-(amd64|arm64)$" checksums.txt | sha256sum -c - | |
| cd - | |
| chmod +x cbox-init/binaries/cbox-init-* | |
| - name: Build benchmark image chain (php-base → php-fpm → php-fpm-nginx) | |
| run: | | |
| echo "=== Building Bookworm chain ===" | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t ghcr.io/cboxdk/php-baseimages/php-base:8.3-bookworm -f php-base/Dockerfile . | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t ghcr.io/cboxdk/php-baseimages/php-fpm:8.3-bookworm -f php-fpm/Dockerfile . | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t cbox-bookworm -f php-fpm-nginx/Dockerfile . | |
| - name: Run performance benchmarks | |
| run: | | |
| chmod +x tests/benchmarks/run-benchmarks.sh | |
| ./tests/benchmarks/run-benchmarks.sh | |
| - name: Upload benchmark results | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: benchmark-results | |
| path: tests/benchmarks/results/ | |
| security-scan: | |
| name: CVE Security Scan | |
| runs-on: [self-hosted, linux, ax41] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Read Cbox Init version | |
| id: versions | |
| run: | | |
| echo "CBOX_INIT_VERSION=$(jq -r '.tools.cbox_init' versions.json)" >> $GITHUB_OUTPUT | |
| - name: Download and verify Cbox Init binaries | |
| run: | | |
| mkdir -p cbox-init/binaries | |
| VERSION="${{ steps.versions.outputs.CBOX_INIT_VERSION }}" | |
| BASE_URL="https://github.com/cboxdk/init/releases/download/v${VERSION}" | |
| echo "Downloading Cbox Init v${VERSION}..." | |
| curl -fsSL "${BASE_URL}/cbox-init-linux-amd64" -o cbox-init/binaries/cbox-init-linux-amd64 | |
| curl -fsSL "${BASE_URL}/cbox-init-linux-arm64" -o cbox-init/binaries/cbox-init-linux-arm64 | |
| curl -fsSL "${BASE_URL}/checksums.txt" -o cbox-init/binaries/checksums.txt | |
| echo "Verifying SHA256 checksums..." | |
| cd cbox-init/binaries | |
| grep -E "cbox-init-linux-(amd64|arm64)$" checksums.txt | sha256sum -c - | |
| cd - | |
| chmod +x cbox-init/binaries/cbox-init-* | |
| - name: Build images for scanning (full chain) | |
| run: | | |
| echo "=== Building Bookworm chain ===" | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t ghcr.io/cboxdk/php-baseimages/php-base:8.3-bookworm -f php-base/Dockerfile . | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t ghcr.io/cboxdk/php-baseimages/php-fpm:8.3-bookworm -f php-fpm/Dockerfile . | |
| docker build --target root --build-arg PHP_VERSION=8.3 -t cbox-scan:bookworm -f php-fpm-nginx/Dockerfile . | |
| - name: Install Trivy | |
| run: | | |
| TRIVY_VERSION=0.69.3 | |
| mkdir -p "$HOME/.local/bin" | |
| curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \ | |
| | sh -s -- -b "$HOME/.local/bin" "v${TRIVY_VERSION}" | |
| echo "$HOME/.local/bin" >> "$GITHUB_PATH" | |
| "$HOME/.local/bin/trivy" --version | |
| - name: Run Trivy vulnerability scanner | |
| run: | | |
| trivy image \ | |
| --format sarif \ | |
| --output trivy-bookworm-results.sarif \ | |
| --severity CRITICAL,HIGH \ | |
| cbox-scan:bookworm | |
| - name: Upload Trivy results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: trivy-bookworm-results.sarif | |
| category: trivy-bookworm | |
| - name: Generate security report summary | |
| if: always() | |
| run: | | |
| echo "# Security Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "## Debian 12 (Bookworm)" >> $GITHUB_STEP_SUMMARY | |
| trivy image --severity CRITICAL,HIGH --format table cbox-scan:bookworm >> $GITHUB_STEP_SUMMARY || true |