From 10247316541b6cd8fa9b376486b5df91a1d95eff Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Tue, 10 Mar 2026 16:06:09 +0100 Subject: [PATCH 01/23] ADD pr-scan.yml pipeline, UPDATE PHP to 8.5.3. UPDATE .gitignore, READM.md, and test.yaml. This rebuild will pull imagemagick > 7.1 to address CVEs as found by Trivy. --- .dockerignore | 6 +++ .github/workflows/pr-scan.yml | 36 ++++++++++++++++++ .github/workflows/trivy.yml | 2 +- .gitignore | 3 ++ Dockerfile | 21 ++++++----- README.md | 70 ++++++++++++++++++++++------------- tests.yaml | 2 +- 7 files changed, 102 insertions(+), 38 deletions(-) create mode 100644 .dockerignore create mode 100644 .github/workflows/pr-scan.yml diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..4dacf66 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,6 @@ +.git* +*.md +*test*.* +Dockerfile +LICENSE +trivy-*.json diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml new file mode 100644 index 0000000..2f70dc3 --- /dev/null +++ b/.github/workflows/pr-scan.yml @@ -0,0 +1,36 @@ +name: PR Security Scan + +on: [pull_request] + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t appwrite/docker-base:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'appwrite/docker-base:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4.32.6 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6a876d7..2cb046d 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -43,6 +43,6 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4.32.6 with: sarif_file: 'trivy-results.sarif' diff --git a/.gitignore b/.gitignore index 485dee6..8704376 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ .idea +*.logs +NOTES*.md +trivy-*-results.json \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 4dd57ce..9e85026 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,22 @@ -ARG BASEIMAGE="php:8.4.18-cli-alpine3.23" +ARG BASEIMAGE="php:8.5.3-cli-alpine3.23" FROM $BASEIMAGE AS compile -ENV PHP_REDIS_VERSION="6.3.0" \ - PHP_SWOOLE_VERSION="v6.1.7" \ +ENV \ + PHP_BROTLI_VERSION="0.18.3" \ PHP_IMAGICK_VERSION="3.8.1" \ - PHP_MONGODB_VERSION="2.2.1" \ - PHP_YAML_VERSION="2.3.0" \ + PHP_LZ4_VERSION="0.6.0" \ PHP_MAXMINDDB_VERSION="v1.13.1" \ + PHP_MONGODB_VERSION="2.2.1" \ + PHP_OPENTELEMETRY_VERSION="1.2.1" \ + PHP_PROTOBUF_VERSION="5.34.0" \ + PHP_REDIS_VERSION="6.3.0" \ PHP_SCRYPT_VERSION="2.0.1" \ - PHP_ZSTD_VERSION="0.15.2" \ - PHP_BROTLI_VERSION="0.18.3" \ PHP_SNAPPY_VERSION="0.2.3" \ - PHP_LZ4_VERSION="0.6.0" \ + PHP_SWOOLE_VERSION="v6.1.7" \ PHP_XDEBUG_VERSION="3.5.1" \ - PHP_OPENTELEMETRY_VERSION="1.2.1" \ - PHP_PROTOBUF_VERSION="5.34.0" + PHP_YAML_VERSION="2.3.0" \ + PHP_ZSTD_VERSION="0.15.2" RUN apk update && apk upgrade && apk add --no-cache --virtual .deps \ linux-headers \ diff --git a/README.md b/README.md index 1b4e37c..9acff6d 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ # Docker Base +[![Build Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base) [![Discord](https://img.shields.io/discord/564160730845151244?label=discord&style=flat-square)](https://appwrite.io/discord) [![Docker Pulls](https://img.shields.io/docker/pulls/appwrite/base?color=f02e65&style=flat-square)](https://hub.docker.com/r/appwrite/base) -[![Build Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base) -[![Twitter Account](https://img.shields.io/twitter/follow/appwrite?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite) [![Follow Appwrite on StackShare](https://img.shields.io/badge/follow%20on-stackshare-blue?style=flat-square)](https://stackshare.io/appwrite) +[![Twitter Account](https://img.shields.io/twitter/follow/appwrite?color=00acee&label=twitter&style=flat-square)](https://twitter.com/appwrite) [Appwrite](https://appwrite.io) base docker image with applications and extensions built and installed. @@ -12,49 +12,67 @@ These instructions will cover usage information to help your run Appwrite's base docker container. -### Prerequisites +### NOTE -In order to run this container you'll need docker installed. +* For example usage `latest` is stated in the commands. The Appwrite team recommends using pinned version releases outside of development. +* We use `Docker` but you may use any compatible container runtime in its place. + +## Prerequisites + +In order to run this container you'll need the Docker runtime installed. + +**Docker** -* [Windows](https://docs.docker.com/windows/started) -* [OS X](https://docs.docker.com/mac/started/) * [Linux](https://docs.docker.com/linux/started/) +* [OS X](https://docs.docker.com/mac/started/) +* [Windows](https://docs.docker.com/windows/started) -### Usage +* [Docker buildx](https://github.com/docker/buildx) -```shell -docker run appwrite/base -``` +**Optional** -### Testing +* [GoogleContainerTools/container-structure-test](https://github.com/GoogleContainerTools/container-structure-test) for testing +* [Trivy](https://trivy.dev/) for CVE scanning -We use [Container Structure Test](https://github.com/GoogleContainerTools/container-structure-test) to run test for the docker image. In order to run test first install Container strucutre test using the following command. +## Build -```bash -curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test +```shell +time docker build --tag appwrite/base:latest . | tee "build-$(date +%s).log" +# tee "build-$(date +%s).log" 0.00s user 0.04s system 0% cpu 51.225 total ``` -### Run Test +## Scan -First build and tag the docker image and then run the test using the configuration file. - -```bash -docker build -t appwrite-base-test . -container-structure-test test --config tests.yaml --image appwrite-base-test +```shell +trivy image --format json --pkg-types os,library --severity CRITICAL,HIGH --output trivy-image-results.json appwrite/base:latest | tee "scan-$(date +%s).log" +# success is a zero exit code ``` -### Build +## Test ```bash -docker build --tag appwrite/base:1.0.0 . - -docker push appwrite/base:1.0.0 +container-structure-test test --config tests.yaml --image appwrite/base:latest | tee "test-$(date +%s).log" +# PASS ``` -Multi-arch build (using [buildx](https://github.com/docker/buildx)): +## Run +```shell +docker run appwrite/base:latest php -m| tee "run-$(date +%s).log" +# ... +# yaml +# Zend OPcache +# zlib +# zstd +# +# [Zend Modules] +# Zend OPcache ``` -docker buildx build --platform linux/amd64,linux/arm64/v8,linux/ppc64le --tag appwrite/base:1.0.0 --push . + +## Push + +```bash +docker push appwrite/base:latest | tee "push-$(date +%s).log" ``` ## Find Us diff --git a/tests.yaml b/tests.yaml index 4f7b57a..68b63ed 100644 --- a/tests.yaml +++ b/tests.yaml @@ -4,7 +4,7 @@ commandTests: - name: 'Imagemagick command' command: "magick" args: ["--version"] - expectedOutput: [".*ImageMagick 7.1.*"] + expectedOutput: [".*ImageMagick 7.1.2.15"] - name: 'rsync command' command: "rsync" args: ["--version"] From 418bfe0f96524d3859ece4dd28c4f4bd901049c1 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Tue, 10 Mar 2026 16:09:35 +0100 Subject: [PATCH 02/23] FIX Trivy scanning step name --- .github/workflows/pr-scan.yml | 2 +- README.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml index 2f70dc3..07b2010 100644 --- a/.github/workflows/pr-scan.yml +++ b/.github/workflows/pr-scan.yml @@ -6,7 +6,7 @@ permissions: contents: read jobs: - build: + scan: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results diff --git a/README.md b/README.md index 9acff6d..0fbf715 100644 --- a/README.md +++ b/README.md @@ -84,3 +84,4 @@ docker push appwrite/base:latest | tee "push-$(date +%s).log" ## Copyright and license The MIT License (MIT) [http://www.opensource.org/licenses/mit-license.php](http://www.opensource.org/licenses/mit-license.php) + From d6fe48d6b27958e3a85f481fe38d1a4b5f493db0 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Tue, 10 Mar 2026 16:15:35 +0100 Subject: [PATCH 03/23] REVERT PHP to 8.4.18 due to build failure --- Dockerfile | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9e85026..22e1aae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,21 @@ -ARG BASEIMAGE="php:8.5.3-cli-alpine3.23" +ARG BASEIMAGE="php:8.4.18-cli-alpine3.23" FROM $BASEIMAGE AS compile -ENV \ - PHP_BROTLI_VERSION="0.18.3" \ +ENV PHP_REDIS_VERSION="6.3.0" \ + PHP_SWOOLE_VERSION="v6.1.7" \ PHP_IMAGICK_VERSION="3.8.1" \ - PHP_LZ4_VERSION="0.6.0" \ - PHP_MAXMINDDB_VERSION="v1.13.1" \ PHP_MONGODB_VERSION="2.2.1" \ - PHP_OPENTELEMETRY_VERSION="1.2.1" \ - PHP_PROTOBUF_VERSION="5.34.0" \ - PHP_REDIS_VERSION="6.3.0" \ + PHP_YAML_VERSION="2.3.0" \ + PHP_MAXMINDDB_VERSION="v1.13.1" \ PHP_SCRYPT_VERSION="2.0.1" \ + PHP_ZSTD_VERSION="0.15.2" \ + PHP_BROTLI_VERSION="0.18.3" \ PHP_SNAPPY_VERSION="0.2.3" \ - PHP_SWOOLE_VERSION="v6.1.7" \ + PHP_LZ4_VERSION="0.6.0" \ PHP_XDEBUG_VERSION="3.5.1" \ - PHP_YAML_VERSION="2.3.0" \ - PHP_ZSTD_VERSION="0.15.2" + PHP_OPENTELEMETRY_VERSION="1.2.1" \ + PHP_PROTOBUF_VERSION="5.34.0" RUN apk update && apk upgrade && apk add --no-cache --virtual .deps \ linux-headers \ @@ -80,7 +79,7 @@ RUN \ ./configure && \ make && make install -## Maxminddb extension +## Maxminddb Extension FROM compile AS maxmind RUN \ git clone --depth 1 --branch $PHP_MAXMINDDB_VERSION https://github.com/maxmind/MaxMind-DB-Reader-php.git && \ From 955d0671d30041cffba24d22c8eb4df107d7f906 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Tue, 10 Mar 2026 16:31:45 +0100 Subject: [PATCH 04/23] UPDATED aquasecurity/trivy-action to 0.35.0 --- .github/workflows/pr-scan.yml | 6 ++++-- .github/workflows/trivy.yml | 2 +- .gitignore | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml index 07b2010..0e63256 100644 --- a/.github/workflows/pr-scan.yml +++ b/.github/workflows/pr-scan.yml @@ -1,6 +1,8 @@ name: PR Security Scan -on: [pull_request] +on: + pull_request_target: + types: [opened, synchronize, reopened] permissions: contents: read @@ -22,7 +24,7 @@ jobs: docker build -t appwrite/docker-base:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@0.35.0 with: image-ref: 'appwrite/docker-base:${{ github.sha }}' format: 'template' diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 2cb046d..1f0df1c 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -34,7 +34,7 @@ jobs: docker build -t appwrite/docker-base:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@0.35.0 with: image-ref: 'appwrite/docker-base:${{ github.sha }}' format: 'template' diff --git a/.gitignore b/.gitignore index 8704376..1511ccc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ .idea -*.logs +*/*.logs NOTES*.md -trivy-*-results.json \ No newline at end of file +trivy-*-results.json From e7c0e319a8366c2f5e81478787f1163cc23d6c9e Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 09:17:17 +0100 Subject: [PATCH 05/23] Version bumped PHP/Swoole in container image --- .gitignore | 2 +- CHANGES.md | 22 ++++++++++++++++++++++ Dockerfile | 6 +++--- README.md | 2 ++ 4 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 CHANGES.md diff --git a/.gitignore b/.gitignore index 1511ccc..19f8560 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ .idea -*/*.logs +*.log NOTES*.md trivy-*-results.json diff --git a/CHANGES.md b/CHANGES.md new file mode 100644 index 0000000..c53c48d --- /dev/null +++ b/CHANGES.md @@ -0,0 +1,22 @@ +# Version 0.2.0 + +### Add + +* CHANGELOG.md +* .dockerignore + +### Change + +* .gitignore now includes log and scanning output rules +* ImageMagick version bumped to 7.1.2.15, tests.yaml aligned to ensure new version +* PHP version bumped to 8.5.3 +* Swoole version bumped to 6.2.0 + +### Fixes + +* README.md usage instructions more detailed + +### Miscellaneous + +### Removed + diff --git a/Dockerfile b/Dockerfile index 22e1aae..55ca9d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ -ARG BASEIMAGE="php:8.4.18-cli-alpine3.23" +ARG BASEIMAGE="php:8.5.3-cli-alpine3.23" FROM $BASEIMAGE AS compile ENV PHP_REDIS_VERSION="6.3.0" \ - PHP_SWOOLE_VERSION="v6.1.7" \ + PHP_SWOOLE_VERSION="6.2.0" \ PHP_IMAGICK_VERSION="3.8.1" \ PHP_MONGODB_VERSION="2.2.1" \ PHP_YAML_VERSION="2.3.0" \ @@ -54,7 +54,7 @@ RUN \ ## Swoole Extension FROM compile AS swoole RUN \ - git clone --depth 1 --branch $PHP_SWOOLE_VERSION https://github.com/swoole/swoole-src.git && \ + git clone --depth 1 --branch v$PHP_SWOOLE_VERSION https://github.com/swoole/swoole-src.git && \ cd swoole-src && \ phpize && \ ./configure --enable-sockets --enable-http2 --enable-openssl --enable-swoole-curl && \ diff --git a/README.md b/README.md index 0fbf715..679f3cf 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,8 @@ docker run appwrite/base:latest php -m| tee "run-$(date +%s).log" ## Push +Note: Build of the image and push to the registry shoudl be handle by automation. + ```bash docker push appwrite/base:latest | tee "push-$(date +%s).log" ``` From fa5df866a1262174d7feee13677a1cbd6fb3ca77 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 09:45:06 +0100 Subject: [PATCH 06/23] CI trigger --- .github/workflows/pr-scan.yml | 2 +- README.md | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml index 0e63256..3b68136 100644 --- a/.github/workflows/pr-scan.yml +++ b/.github/workflows/pr-scan.yml @@ -8,7 +8,7 @@ permissions: contents: read jobs: - scan: + build: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results diff --git a/README.md b/README.md index 679f3cf..a981f22 100644 --- a/README.md +++ b/README.md @@ -86,4 +86,3 @@ docker push appwrite/base:latest | tee "push-$(date +%s).log" ## Copyright and license The MIT License (MIT) [http://www.opensource.org/licenses/mit-license.php](http://www.opensource.org/licenses/mit-license.php) - From eb8970904359dff2cbc5fead29db69dd74e69051 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 09:54:06 +0100 Subject: [PATCH 07/23] Running pr-scan CI on any push. Every commit should be built, even if they fail. But main branch should always be successful. --- .github/workflows/pr-scan.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml index 3b68136..f76d332 100644 --- a/.github/workflows/pr-scan.yml +++ b/.github/workflows/pr-scan.yml @@ -1,8 +1,6 @@ name: PR Security Scan -on: - pull_request_target: - types: [opened, synchronize, reopened] +on: push permissions: contents: read From a2e5fd86e99cd1ff68079e58d2a5d67db476899c Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 10:38:32 +0100 Subject: [PATCH 08/23] T/Sing build issue of not finding zstd so --- Dockerfile | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 55ca9d5..06ceb23 100644 --- a/Dockerfile +++ b/Dockerfile @@ -210,21 +210,25 @@ RUN \ WORKDIR /usr/src/code -COPY --from=swoole /usr/local/lib/php/extensions/no-debug-non-zts-20240924/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=redis /usr/local/lib/php/extensions/no-debug-non-zts-20240924/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +RUN chmod +x /usr/local/lib/php/extensions/no-debug-non-zts-20240924/*.so + +RUN ls -lah /usr/local/lib/php/extensions/no-debug-non-zts-20240924 + +COPY --from=brotli /usr/local/lib/php/extensions/no-debug-non-zts-20240924/brotli.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=gd /usr/local/lib/php/extensions/no-debug-non-zts-20240924/gd.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ COPY --from=imagick /usr/local/lib/php/extensions/no-debug-non-zts-20240924/imagick.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=yaml /usr/local/lib/php/extensions/no-debug-non-zts-20240924/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=lz4 /usr/local/lib/php/extensions/no-debug-non-zts-20240924/lz4.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ COPY --from=maxmind /usr/local/lib/php/extensions/no-debug-non-zts-20240924/maxminddb.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=mongodb /usr/local/lib/php/extensions/no-debug-non-zts-20240924/mongodb.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=opentelemetry /usr/local/lib/php/extensions/no-debug-non-zts-20240924/opentelemetry.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=protobuf /usr/local/lib/php/extensions/no-debug-non-zts-20240924/protobuf.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=redis /usr/local/lib/php/extensions/no-debug-non-zts-20240924/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ COPY --from=scrypt /usr/local/lib/php/extensions/no-debug-non-zts-20240924/scrypt.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=zstd /usr/local/lib/php/extensions/no-debug-non-zts-20240924/zstd.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=brotli /usr/local/lib/php/extensions/no-debug-non-zts-20240924/brotli.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=lz4 /usr/local/lib/php/extensions/no-debug-non-zts-20240924/lz4.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ COPY --from=snappy /usr/local/lib/php/extensions/no-debug-non-zts-20240924/snappy.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=swoole /usr/local/lib/php/extensions/no-debug-non-zts-20240924/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ COPY --from=xdebug /usr/local/lib/php/extensions/no-debug-non-zts-20240924/xdebug.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=opentelemetry /usr/local/lib/php/extensions/no-debug-non-zts-20240924/opentelemetry.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=protobuf /usr/local/lib/php/extensions/no-debug-non-zts-20240924/protobuf.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=gd /usr/local/lib/php/extensions/no-debug-non-zts-20240924/gd.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=mongodb /usr/local/lib/php/extensions/no-debug-non-zts-20240924/mongodb.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=yaml /usr/local/lib/php/extensions/no-debug-non-zts-20240924/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=zstd /usr/local/lib/php/extensions/no-debug-non-zts-20240924/zstd.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ # Enable Extensions RUN docker-php-ext-enable swoole redis imagick yaml maxminddb scrypt zstd brotli lz4 snappy opentelemetry protobuf gd mongodb From 1a804b0ce57e7900d09f23facbc3ba379e6cbc3c Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 13:39:32 +0100 Subject: [PATCH 09/23] Updated pipeline action versions --- .github/workflows/build-and-push.yml | 8 +- .github/workflows/pr-scan.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/trivy.yml | 2 +- CHANGES.md | 14 +- Dockerfile | 223 +++++++++++++++++---------- README.md | 6 +- TODO.md | 11 ++ 8 files changed, 171 insertions(+), 97 deletions(-) create mode 100644 TODO.md diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 88679e2..7b4a14c 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -14,19 +14,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repo - uses: actions/checkout@v3 + uses: actions/checkout@v6.0.2 - name: Login to DockerHub - uses: docker/login-action@v2 + uses: docker/login-action@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v4 - name: Build and push uses: docker/build-push-action@v4 diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml index f76d332..3bfe03e 100644 --- a/.github/workflows/pr-scan.yml +++ b/.github/workflows/pr-scan.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6.0.2 - name: Build an image from Dockerfile run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3712ce8..1948c37 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repo - uses: actions/checkout@v3 + uses: actions/checkout@v6.0.2 - name: Setup container structure test run: | diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 1f0df1c..6fbf98f 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6.0.2 - name: Build an image from Dockerfile run: | diff --git a/CHANGES.md b/CHANGES.md index c53c48d..f81ef6c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,13 +1,22 @@ -# Version 0.2.0 +# CHANGELOG + +## Version 0.2.0 ### Add -* CHANGELOG.md * .dockerignore +* .github/workflows/pr-scan.yml to scan all commit pushes for vulnerabilities +* base_image and php_build_date to containber labels +* CHANGELOG.md ### Change +* .github/*.yml steps updated to latest versions * .gitignore now includes log and scanning output rules +* Better document use of `docker-buildx build ...` for local builds +* Better noted and organized the different build processes for PHP extensions +* Date component of PHP extension shared objects directory now a build argument +* Dockerfile compile and final stage system packages aligned * ImageMagick version bumped to 7.1.2.15, tests.yaml aligned to ensure new version * PHP version bumped to 8.5.3 * Swoole version bumped to 6.2.0 @@ -19,4 +28,3 @@ ### Miscellaneous ### Removed - diff --git a/Dockerfile b/Dockerfile index 06ceb23..980f248 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ -ARG BASEIMAGE="php:8.5.3-cli-alpine3.23" +ARG BASE_IMAGE="php:8.5.3-cli-alpine3.23" +ARG PHP_BUILD_DATE="20250925" -FROM $BASEIMAGE AS compile +FROM $BASE_IMAGE AS compile ENV PHP_REDIS_VERSION="6.3.0" \ PHP_SWOOLE_VERSION="6.2.0" \ @@ -17,30 +18,46 @@ ENV PHP_REDIS_VERSION="6.3.0" \ PHP_OPENTELEMETRY_VERSION="1.2.1" \ PHP_PROTOBUF_VERSION="5.34.0" -RUN apk update && apk upgrade && apk add --no-cache --virtual .deps \ - linux-headers \ - make \ - automake \ - autoconf \ - gcc \ - g++ \ - git \ - zlib-dev \ - openssl-dev \ - yaml-dev \ - imagemagick \ - imagemagick-dev \ - libjpeg-turbo-dev \ - jpeg-dev \ - libpng-dev \ - libjxl-dev \ - libmaxminddb-dev \ - zstd-dev \ - brotli-dev \ - lz4-dev \ - curl-dev +RUN \ + apk update && \ + apk upgrade && \ + apk add --no-cache --virtual .deps \ + && apk add --no-cache \ + autoconf \ + automake \ + brotli-dev \ + certbot \ + curl-dev \ + docker-cli \ + docker-cli-compose \ + g++ \ + gcc \ + git \ + imagemagick \ + imagemagick-dev \ + imagemagick-heic \ + jpeg-dev \ + libavif \ + libgomp \ + libheif \ + libjpeg-turbo-dev \ + libjxl-dev \ + libmaxminddb-dev \ + libpng-dev \ + libstdc++ \ + libwebp \ + linux-headers \ + lz4-dev \ + make \ + openssl-dev \ + postgresql-dev \ + rsync \ + yaml-dev \ + zip \ + zlib-dev \ + zstd-dev -RUN docker-php-ext-install sockets +# compile from source instals FROM compile AS redis RUN \ @@ -54,7 +71,7 @@ RUN \ ## Swoole Extension FROM compile AS swoole RUN \ - git clone --depth 1 --branch v$PHP_SWOOLE_VERSION https://github.com/swoole/swoole-src.git && \ + git clone --depth 1 --branch $PHP_SWOOLE_VERSION https://github.com/swoole/swoole-src.git && \ cd swoole-src && \ phpize && \ ./configure --enable-sockets --enable-http2 --enable-openssl --enable-swoole-curl && \ @@ -153,85 +170,123 @@ RUN \ ./configure && \ make && make install +# PHP PECL installs + FROM compile AS opentelemetry RUN pecl install opentelemetry-${PHP_OPENTELEMETRY_VERSION} FROM compile AS protobuf RUN pecl install protobuf-${PHP_PROTOBUF_VERSION} +# docker-php-extensions installs + FROM compile AS gd RUN docker-php-ext-install gd -FROM $BASEIMAGE AS final +FROM compile AS sockets +RUN docker-php-ext-install sockets + +FROM compile AS pdo_mysql +RUN docker-php-ext-install pdo pdo_mysql + +FROM compile AS pdo_pgsql +RUN docker-php-ext-install pdo pdo_pgsql + +FROM compile AS intl +RUN docker-php-ext-install intl + +FROM $BASE_IMAGE AS final + +# PAss in ARGS to use as label values and path components + +ARG BASE_IMAGE +ARG PHP_BUILD_DATE +LABEL base_image=$BASE_IMAGE LABEL maintainer="team@appwrite.io" +LABEL php_build_date=$PHP_BUILD_DATE -RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone +RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ + echo $TZ > /etc/timezone RUN \ - apk update \ - && apk upgrade \ - && apk add --no-cache --virtual .deps \ - linux-headers \ - make \ - automake \ - autoconf \ - gcc \ - g++ \ - curl-dev \ - && apk add --no-cache \ - libstdc++ \ - rsync \ - brotli-dev \ - lz4-dev \ - yaml-dev \ - imagemagick \ - imagemagick-dev \ - libjpeg-turbo-dev \ - jpeg-dev \ - libjxl-dev \ - libavif \ - libheif \ - libwebp \ - imagemagick-heic \ - zlib-dev \ - libpng-dev \ - libmaxminddb-dev \ - certbot \ - docker-cli \ - docker-cli-compose \ - libgomp \ - git \ - zip \ - postgresql-dev \ - && docker-php-ext-install sockets pdo_mysql pdo_pgsql intl \ + apk update && \ + apk upgrade && \ + apk add --no-cache --virtual .deps \ + && apk add --no-cache \ + autoconf \ + automake \ + brotli-dev \ + certbot \ + curl-dev \ + docker-cli \ + docker-cli-compose \ + g++ \ + gcc \ + git \ + imagemagick \ + imagemagick-dev \ + imagemagick-heic \ + jpeg-dev \ + libavif \ + libgomp \ + libheif \ + libjpeg-turbo-dev \ + libjxl-dev \ + libmaxminddb-dev \ + libpng-dev \ + libstdc++ \ + libwebp \ + linux-headers \ + lz4-dev \ + make \ + openssl-dev \ + postgresql-dev \ + rsync \ + yaml-dev \ + zip \ + zstd-dev \ && apk del .deps \ && rm -rf /var/cache/apk/* WORKDIR /usr/src/code -RUN chmod +x /usr/local/lib/php/extensions/no-debug-non-zts-20240924/*.so - -RUN ls -lah /usr/local/lib/php/extensions/no-debug-non-zts-20240924 - -COPY --from=brotli /usr/local/lib/php/extensions/no-debug-non-zts-20240924/brotli.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=gd /usr/local/lib/php/extensions/no-debug-non-zts-20240924/gd.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=imagick /usr/local/lib/php/extensions/no-debug-non-zts-20240924/imagick.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=lz4 /usr/local/lib/php/extensions/no-debug-non-zts-20240924/lz4.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=maxmind /usr/local/lib/php/extensions/no-debug-non-zts-20240924/maxminddb.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=mongodb /usr/local/lib/php/extensions/no-debug-non-zts-20240924/mongodb.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=opentelemetry /usr/local/lib/php/extensions/no-debug-non-zts-20240924/opentelemetry.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=protobuf /usr/local/lib/php/extensions/no-debug-non-zts-20240924/protobuf.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=redis /usr/local/lib/php/extensions/no-debug-non-zts-20240924/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=scrypt /usr/local/lib/php/extensions/no-debug-non-zts-20240924/scrypt.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=snappy /usr/local/lib/php/extensions/no-debug-non-zts-20240924/snappy.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=swoole /usr/local/lib/php/extensions/no-debug-non-zts-20240924/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=xdebug /usr/local/lib/php/extensions/no-debug-non-zts-20240924/xdebug.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=yaml /usr/local/lib/php/extensions/no-debug-non-zts-20240924/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ -COPY --from=zstd /usr/local/lib/php/extensions/no-debug-non-zts-20240924/zstd.so /usr/local/lib/php/extensions/no-debug-non-zts-20240924/ +COPY --from=brotli /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/brotli.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=gd /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/gd.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=imagick /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/imagick.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=intl /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/intl.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=lz4 /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/lz4.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=maxmind /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/maxminddb.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=mongodb /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/mongodb.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=opentelemetry /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/opentelemetry.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=pdo_mysql /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/pdo_mysql.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=pdo_pgsql /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/pdo_pgsql.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=protobuf /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/protobuf.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=redis /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=scrypt /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/scrypt.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=snappy /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/snappy.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=sockets /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/sockets.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=swoole /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=xdebug /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/xdebug.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=yaml /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ +COPY --from=zstd /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/zstd.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ # Enable Extensions -RUN docker-php-ext-enable swoole redis imagick yaml maxminddb scrypt zstd brotli lz4 snappy opentelemetry protobuf gd mongodb +RUN docker-php-ext-enable \ + brotli \ + gd \ + imagick \ + lz4 \ + maxminddb \ + mongodb \ + opentelemetry \ + protobuf \ + redis \ + scrypt \ + snappy \ + swoole \ + yaml \ + zstd EXPOSE 80 diff --git a/README.md b/README.md index a981f22..d3acadb 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ ## Getting Started -These instructions will cover usage information to help your run Appwrite's base docker container. +This project contains Appwrite's PHP base container image. ### NOTE @@ -37,8 +37,8 @@ In order to run this container you'll need the Docker runtime installed. ## Build ```shell -time docker build --tag appwrite/base:latest . | tee "build-$(date +%s).log" -# tee "build-$(date +%s).log" 0.00s user 0.04s system 0% cpu 51.225 total +time docker-buildx build --no-cache --tag appwrite/base:latest . | tee "build-$(date +%s).log" +# tee "build-$(date +%s).log" 0.00s user 0.01s system 0% cpu 4:20.31 total ``` ## Scan diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..55d769b --- /dev/null +++ b/TODO.md @@ -0,0 +1,11 @@ +# TODO + +- [add dive analysis to project](https://github.com/marketplace/actions/dive-action) +- install gd and run stage should be separate +- xdebug should not be in a production image +- can we get pre-compiled extensions *.so +- xdebug as separate image `appwrite-XYZ-xdebug` +- use Swoole base image +- changelog aligning with appwrite/appwrite +- DOCKER_BUILDKIT=1 + buildx to parallel build the PHP extensions +- audit system packages in Dockerfile -> final From 5b993d09ca40e878fc7ac3cc6fa371b01be1124f Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 14:16:13 +0100 Subject: [PATCH 10/23] Build passing tests now --- Dockerfile | 61 ++++++++++++++++++++++-------------------------------- README.md | 3 +-- TODO.md | 1 + 3 files changed, 27 insertions(+), 38 deletions(-) diff --git a/Dockerfile b/Dockerfile index 980f248..6e41619 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,20 +3,21 @@ ARG PHP_BUILD_DATE="20250925" FROM $BASE_IMAGE AS compile -ENV PHP_REDIS_VERSION="6.3.0" \ - PHP_SWOOLE_VERSION="6.2.0" \ +ENV \ + PHP_BROTLI_VERSION="0.18.3" \ PHP_IMAGICK_VERSION="3.8.1" \ - PHP_MONGODB_VERSION="2.2.1" \ - PHP_YAML_VERSION="2.3.0" \ + PHP_LZ4_VERSION="0.6.0" \ PHP_MAXMINDDB_VERSION="v1.13.1" \ + PHP_MONGODB_VERSION="2.2.1" \ + PHP_OPENTELEMETRY_VERSION="1.2.1" \ + PHP_PROTOBUF_VERSION="5.34.0" \ + PHP_REDIS_VERSION="6.3.0" \ PHP_SCRYPT_VERSION="2.0.1" \ - PHP_ZSTD_VERSION="0.15.2" \ - PHP_BROTLI_VERSION="0.18.3" \ PHP_SNAPPY_VERSION="0.2.3" \ - PHP_LZ4_VERSION="0.6.0" \ + PHP_SWOOLE_VERSION="6.2.0" \ PHP_XDEBUG_VERSION="3.5.1" \ - PHP_OPENTELEMETRY_VERSION="1.2.1" \ - PHP_PROTOBUF_VERSION="5.34.0" + PHP_YAML_VERSION="2.3.0" \ + PHP_ZSTD_VERSION="0.15.2" RUN \ apk update && \ @@ -57,11 +58,11 @@ RUN \ zlib-dev \ zstd-dev -# compile from source instals +# compile from source instals (least desirable method) +# Redis Extension FROM compile AS redis RUN \ - # Redis Extension git clone --depth 1 --branch $PHP_REDIS_VERSION https://github.com/phpredis/phpredis.git && \ cd phpredis && \ phpize && \ @@ -70,8 +71,9 @@ RUN \ ## Swoole Extension FROM compile AS swoole +RUN docker-php-ext-install sockets RUN \ - git clone --depth 1 --branch $PHP_SWOOLE_VERSION https://github.com/swoole/swoole-src.git && \ + git clone --depth 1 --branch "v$PHP_SWOOLE_VERSION" https://github.com/swoole/swoole-src.git && \ cd swoole-src && \ phpize && \ ./configure --enable-sockets --enable-http2 --enable-openssl --enable-swoole-curl && \ @@ -170,7 +172,7 @@ RUN \ ./configure && \ make && make install -# PHP PECL installs +# PHP PECL installs (acceptable method) FROM compile AS opentelemetry RUN pecl install opentelemetry-${PHP_OPENTELEMETRY_VERSION} @@ -178,26 +180,9 @@ RUN pecl install opentelemetry-${PHP_OPENTELEMETRY_VERSION} FROM compile AS protobuf RUN pecl install protobuf-${PHP_PROTOBUF_VERSION} -# docker-php-extensions installs - -FROM compile AS gd -RUN docker-php-ext-install gd - -FROM compile AS sockets -RUN docker-php-ext-install sockets - -FROM compile AS pdo_mysql -RUN docker-php-ext-install pdo pdo_mysql - -FROM compile AS pdo_pgsql -RUN docker-php-ext-install pdo pdo_pgsql - -FROM compile AS intl -RUN docker-php-ext-install intl - FROM $BASE_IMAGE AS final -# PAss in ARGS to use as label values and path components +# Pass in ARGS to use as label values and path components ARG BASE_IMAGE ARG PHP_BUILD_DATE @@ -249,23 +234,27 @@ RUN \ && apk del .deps \ && rm -rf /var/cache/apk/* +# extension installer (prefered method) + +RUN docker-php-ext-install \ + gd \ + intl \ + pdo_mysql \ + pdo_pgsql \ + sockets + WORKDIR /usr/src/code COPY --from=brotli /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/brotli.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ -COPY --from=gd /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/gd.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=imagick /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/imagick.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ -COPY --from=intl /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/intl.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=lz4 /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/lz4.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=maxmind /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/maxminddb.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=mongodb /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/mongodb.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=opentelemetry /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/opentelemetry.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ -COPY --from=pdo_mysql /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/pdo_mysql.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ -COPY --from=pdo_pgsql /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/pdo_pgsql.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=protobuf /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/protobuf.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=redis /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=scrypt /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/scrypt.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=snappy /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/snappy.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ -COPY --from=sockets /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/sockets.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=swoole /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=xdebug /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/xdebug.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=yaml /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ diff --git a/README.md b/README.md index d3acadb..9843abc 100644 --- a/README.md +++ b/README.md @@ -37,8 +37,7 @@ In order to run this container you'll need the Docker runtime installed. ## Build ```shell -time docker-buildx build --no-cache --tag appwrite/base:latest . | tee "build-$(date +%s).log" -# tee "build-$(date +%s).log" 0.00s user 0.01s system 0% cpu 4:20.31 total +time docker-buildx build --no-cache --tag appwrite/base:latest . ``` ## Scan diff --git a/TODO.md b/TODO.md index 55d769b..a99490a 100644 --- a/TODO.md +++ b/TODO.md @@ -9,3 +9,4 @@ - changelog aligning with appwrite/appwrite - DOCKER_BUILDKIT=1 + buildx to parallel build the PHP extensions - audit system packages in Dockerfile -> final +- capture build logs via ` | tee "build-$(date +%s).log"` From bb9281b71254a9e885d418e7a0faf6939fc7e15b Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 14:47:17 +0100 Subject: [PATCH 11/23] ADD image push for feature branch builds --- .github/workflows/build-and-push.yml | 41 ++++++++++++++++--- ...{test.yml => container-structure-test.yml} | 4 +- .../{pr-scan.yml => scheduled-trivy.yml} | 11 ++++- .github/workflows/trivy.yml | 16 +------- CHANGES.md | 2 +- TODO.md | 12 +++--- 6 files changed, 55 insertions(+), 31 deletions(-) rename .github/workflows/{test.yml => container-structure-test.yml} (90%) rename .github/workflows/{pr-scan.yml => scheduled-trivy.yml} (83%) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 7b4a14c..961d230 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -1,16 +1,45 @@ -name: Build and Push to DockerHub +name: Build and Push -on: - release: - types: [published] +on: push + +permissions: + contents: read env: - REGISTRY: docker.io IMAGE_NAME: appwrite/base + REGISTRY: docker.io TAG: ${{ github.event.release.tag_name }} jobs: - build: + build_sha: + if: github.ref != 'refs/heads/main' + runs-on: ubuntu-latest + steps: + - name: Checkout the repo + uses: actions/checkout@v6.0.2 + + - name: Login to DockerHub + uses: docker/login-action@v4 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + + - name: Build and push + uses: docker/build-push-action@v4 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + + build_release: + if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest steps: - name: Checkout the repo diff --git a/.github/workflows/test.yml b/.github/workflows/container-structure-test.yml similarity index 90% rename from .github/workflows/test.yml rename to .github/workflows/container-structure-test.yml index 1948c37..bf86379 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/container-structure-test.yml @@ -1,4 +1,4 @@ -name: Test container structure +name: Container Structure Test on: [pull_request] @@ -14,7 +14,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v6.0.2 - - name: Setup container structure test + - name: Setup container-structure-test run: | curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 chmod +x container-structure-test-linux-amd64 diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/scheduled-trivy.yml similarity index 83% rename from .github/workflows/pr-scan.yml rename to .github/workflows/scheduled-trivy.yml index 3bfe03e..7299c12 100644 --- a/.github/workflows/pr-scan.yml +++ b/.github/workflows/scheduled-trivy.yml @@ -1,6 +1,13 @@ -name: PR Security Scan +name: Scheduled Trivy Scan -on: push +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '43 11 * * 6' permissions: contents: read diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6fbf98f..436185e 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,18 +1,6 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. +name: Push Trivy Scan -name: trivy - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '43 11 * * 6' +on: push permissions: contents: read diff --git a/CHANGES.md b/CHANGES.md index f81ef6c..f656187 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -7,7 +7,7 @@ * .dockerignore * .github/workflows/pr-scan.yml to scan all commit pushes for vulnerabilities * base_image and php_build_date to containber labels -* CHANGELOG.md +* container image build action to publish image using commit sha ### Change diff --git a/TODO.md b/TODO.md index a99490a..b90ce53 100644 --- a/TODO.md +++ b/TODO.md @@ -1,12 +1,12 @@ # TODO - [add dive analysis to project](https://github.com/marketplace/actions/dive-action) -- install gd and run stage should be separate -- xdebug should not be in a production image +- audit system packages in Dockerfile -> final - can we get pre-compiled extensions *.so -- xdebug as separate image `appwrite-XYZ-xdebug` -- use Swoole base image +- can we merge checkout, login, setup qemu, setup buildx in build-and-push.yml +- capture build logs via ` | tee "build-$(date +%s).log"` - changelog aligning with appwrite/appwrite - DOCKER_BUILDKIT=1 + buildx to parallel build the PHP extensions -- audit system packages in Dockerfile -> final -- capture build logs via ` | tee "build-$(date +%s).log"` +- install gd and run stage should be separate +- use Swoole base image +- xdebug as separate image `appwrite/base-xdebug` From 258e983dd198d5cdc4a66ecce4269907b0a4eac6 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 15:25:12 +0100 Subject: [PATCH 12/23] Remove docker-buildx for now, we do not use ARM hosts --- .github/workflows/build-and-push.yml | 18 ++++++------------ TODO.md | 1 + 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 961d230..c052a50 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -24,19 +24,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + - name: Build an image from Dockerfile + run: | + docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - - name: Build and push - uses: docker/build-push-action@v4 - with: - context: . - platforms: linux/amd64,linux/arm64 - push: true - tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + - name: Push an image + run: | + docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . build_release: if: github.ref == 'refs/heads/main' diff --git a/TODO.md b/TODO.md index b90ce53..a8a6576 100644 --- a/TODO.md +++ b/TODO.md @@ -10,3 +10,4 @@ - install gd and run stage should be separate - use Swoole base image - xdebug as separate image `appwrite/base-xdebug` +- docker-buildx takes a VERY long time when building off-architecture (arm64 on a x86 host) vua QEMUimage a host. We want to build targeting arm using an ARM host From adc52e8369782198bb34f91b0d0eb18c3e48bcb7 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 15:34:54 +0100 Subject: [PATCH 13/23] REMOVE multi-arch builds in exchange for faster build and releases --- .github/workflows/build-and-push.yml | 22 ++++++++-------------- .github/workflows/scheduled-trivy.yml | 2 +- .github/workflows/trivy.yml | 2 +- CHANGES.md | 2 ++ TODO.md | 1 + 5 files changed, 13 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index c052a50..dca955c 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -26,11 +26,11 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . + docker image build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - name: Push an image run: | - docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . + docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} build_release: if: github.ref == 'refs/heads/main' @@ -45,16 +45,10 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + - name: Build an image from Dockerfile + run: | + docker image build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - - name: Build and push - uses: docker/build-push-action@v4 - with: - context: . - platforms: linux/amd64,linux/arm64 - push: true - tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} + - name: Push an image + run: | + docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} \ No newline at end of file diff --git a/.github/workflows/scheduled-trivy.yml b/.github/workflows/scheduled-trivy.yml index 7299c12..789580a 100644 --- a/.github/workflows/scheduled-trivy.yml +++ b/.github/workflows/scheduled-trivy.yml @@ -26,7 +26,7 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t appwrite/docker-base:${{ github.sha }} . + docker image build -t appwrite/docker-base:${{ github.sha }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.35.0 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 436185e..43d8ef3 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -19,7 +19,7 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t appwrite/docker-base:${{ github.sha }} . + docker image build -t appwrite/docker-base:${{ github.sha }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.35.0 diff --git a/CHANGES.md b/CHANGES.md index f656187..003a14d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -28,3 +28,5 @@ ### Miscellaneous ### Removed + +* Multi-arch builds due to slow build times, the trade off is improved build times diff --git a/TODO.md b/TODO.md index a8a6576..dc22174 100644 --- a/TODO.md +++ b/TODO.md @@ -11,3 +11,4 @@ - use Swoole base image - xdebug as separate image `appwrite/base-xdebug` - docker-buildx takes a VERY long time when building off-architecture (arm64 on a x86 host) vua QEMUimage a host. We want to build targeting arm using an ARM host +- push job should require all tests to pass which shoudl require build to successed. Reduce duplication of steps across jobs From b0bc807369c34dcf7d8465ef72048c23f1cdc685 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 15:55:28 +0100 Subject: [PATCH 14/23] Refactory ARM build process to avoid cross-arch building --- .github/workflows/build-and-push.yml | 35 +++++++++++++++++----------- CHANGES.md | 5 ++-- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index dca955c..808d4c7 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -10,13 +10,22 @@ env: REGISTRY: docker.io TAG: ${{ github.event.release.tag_name }} +# https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/ +# https://learn.arm.com/learning-paths/cross-platform/github-arm-runners/actions/ jobs: - build_sha: + container_build_and_push: if: github.ref != 'refs/heads/main' - runs-on: ubuntu-latest + runs-on: ${{ matrix.os }} + strategy: + matrix: + include: + - os: ubuntu-latest + arch: amd64 + - os: ubuntu-24.04-arm + arch: arm64 steps: - name: Checkout the repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@v6 - name: Login to DockerHub uses: docker/login-action@v4 @@ -26,29 +35,27 @@ jobs: - name: Build an image from Dockerfile run: | - docker image build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{matrix.arch}} . - name: Push an image run: | - docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{matrix.arch}} - build_release: - if: github.ref == 'refs/heads/main' + manifest_build_and_push: + if: github.ref != 'refs/heads/main' + needs: container_build_and_push runs-on: ubuntu-latest steps: - - name: Checkout the repo - uses: actions/checkout@v6.0.2 - - name: Login to DockerHub uses: docker/login-action@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build an image from Dockerfile + - name: Create manifest run: | - docker image build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . + docker manifest create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:amd64 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:arm64 - - name: Push an image + - name: Push manifest run: | - docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} \ No newline at end of file + docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }} diff --git a/CHANGES.md b/CHANGES.md index 003a14d..56af737 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,6 +1,6 @@ # CHANGELOG -## Version 0.2.0 +## Version 0.11.0 ### Add @@ -19,6 +19,7 @@ * Dockerfile compile and final stage system packages aligned * ImageMagick version bumped to 7.1.2.15, tests.yaml aligned to ensure new version * PHP version bumped to 8.5.3 +* Refactory multi-arch build process to prevent cross-arch builds requiring long wait times * Swoole version bumped to 6.2.0 ### Fixes @@ -29,4 +30,4 @@ ### Removed -* Multi-arch builds due to slow build times, the trade off is improved build times +* Github action to Setup QEMU as GitHub now provides native ARM runners From e5134a2a547593aa9a400c6bf8b992febe9a4637 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Wed, 11 Mar 2026 16:14:24 +0100 Subject: [PATCH 15/23] Trying to fix multi-arch builds --- .github/workflows/build-and-push.yml | 31 +++++++++++++++++-- .../workflows/container-structure-test.yml | 2 +- .github/workflows/scheduled-trivy.yml | 2 +- .github/workflows/trivy.yml | 2 +- 4 files changed, 31 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 808d4c7..e20c288 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -8,7 +8,6 @@ permissions: env: IMAGE_NAME: appwrite/base REGISTRY: docker.io - TAG: ${{ github.event.release.tag_name }} # https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/ # https://learn.arm.com/learning-paths/cross-platform/github-arm-runners/actions/ @@ -41,7 +40,7 @@ jobs: run: | docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{matrix.arch}} - manifest_build_and_push: + manifest_build_and_push_on_feature: if: github.ref != 'refs/heads/main' needs: container_build_and_push runs-on: ubuntu-latest @@ -54,8 +53,34 @@ jobs: - name: Create manifest run: | - docker manifest create ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:amd64 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:arm64 + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }} \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:amd64 \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:arm64 - name: Push manifest run: | docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }} + + + manifest_build_and_push_on_main: + if: github.ref == 'refs/heads/main' + needs: container_build_and_push + runs-on: ubuntu-latest + steps: + - name: Login to DockerHub + uses: docker/login-action@v4 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Create manifest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:amd64 \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:arm64 + + - name: Push manifest + run: | + docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} diff --git a/.github/workflows/container-structure-test.yml b/.github/workflows/container-structure-test.yml index bf86379..70374b5 100644 --- a/.github/workflows/container-structure-test.yml +++ b/.github/workflows/container-structure-test.yml @@ -8,7 +8,7 @@ env: TAG: ${{ github.event.release.tag_name }} jobs: - build: + container_structure_test: runs-on: ubuntu-latest steps: - name: Checkout the repo diff --git a/.github/workflows/scheduled-trivy.yml b/.github/workflows/scheduled-trivy.yml index 789580a..9fdcd5f 100644 --- a/.github/workflows/scheduled-trivy.yml +++ b/.github/workflows/scheduled-trivy.yml @@ -13,7 +13,7 @@ permissions: contents: read jobs: - build: + scheduled_trivy: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 43d8ef3..1f0b989 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -6,7 +6,7 @@ permissions: contents: read jobs: - build: + trivy: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results From 7141e7737bb82b945d1fad8f4375d2f9241be733 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Thu, 12 Mar 2026 11:52:08 +0100 Subject: [PATCH 16/23] ADD dive test tool. ADD image lifecycle GH action. Dockerfile now based on Swoole base image --- .dive-ci | 13 +++++++ .github/workflows/build-and-push.yml | 12 +++---- .github/workflows/dive.yml | 21 +++++++++++ .github/workflows/lifecycle-policy.yml | 35 +++++++++++++++++++ .github/workflows/scheduled-trivy.yml | 2 +- ...-structure-test.yml => structure-test.yml} | 4 +-- .github/workflows/trivy.yml | 2 +- CHANGES.md | 8 ++++- Dockerfile | 18 ++-------- README.md | 15 +++++--- TODO.md | 9 ++--- tests.yaml | 14 ++++++-- 12 files changed, 114 insertions(+), 39 deletions(-) create mode 100644 .dive-ci create mode 100644 .github/workflows/dive.yml create mode 100644 .github/workflows/lifecycle-policy.yml rename .github/workflows/{container-structure-test.yml => structure-test.yml} (93%) diff --git a/.dive-ci b/.dive-ci new file mode 100644 index 0000000..f81d725 --- /dev/null +++ b/.dive-ci @@ -0,0 +1,13 @@ +rules: + # If the efficiency is measured below X%, mark as failed. + # Expressed as a ratio between 0-1. + lowestEfficiency: 0.90 + + # If the amount of wasted space is at least X or larger than X, mark as failed. + # Expressed in B, KB, MB, and GB. + highestWastedBytes: 128MB + + # If the amount of wasted space makes up for X% or more of the image, mark as failed. + # Note: the base image layer is NOT included in the total image size. + # Expressed as a ratio between 0-1; fails if the threshold is met or crossed. + highestUserWastedPercent: 0.10 diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index e20c288..1a17d6c 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -12,13 +12,13 @@ env: # https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/ # https://learn.arm.com/learning-paths/cross-platform/github-arm-runners/actions/ jobs: - container_build_and_push: + build_and_push: if: github.ref != 'refs/heads/main' runs-on: ${{ matrix.os }} strategy: matrix: include: - - os: ubuntu-latest + - os: ubuntu-24.04 arch: amd64 - os: ubuntu-24.04-arm arch: arm64 @@ -42,8 +42,8 @@ jobs: manifest_build_and_push_on_feature: if: github.ref != 'refs/heads/main' - needs: container_build_and_push - runs-on: ubuntu-latest + needs: build_and_push + runs-on: ubuntu-24.04 steps: - name: Login to DockerHub uses: docker/login-action@v4 @@ -65,8 +65,8 @@ jobs: manifest_build_and_push_on_main: if: github.ref == 'refs/heads/main' - needs: container_build_and_push - runs-on: ubuntu-latest + needs: build_and_push + runs-on: ubuntu-24.04 steps: - name: Login to DockerHub uses: docker/login-action@v4 diff --git a/.github/workflows/dive.yml b/.github/workflows/dive.yml new file mode 100644 index 0000000..203da84 --- /dev/null +++ b/.github/workflows/dive.yml @@ -0,0 +1,21 @@ +name: Dive Test + +on: [pull_request] + +jobs: + dive: + runs-on: ubuntu-latest + name: Analyze image efficiency + steps: + - name: Checkout code + uses: actions/checkout@v6.0.2 + + - name: Build an image from Dockerfile + run: | + docker image build -t appwrite/docker-base:${{ github.sha }} . + + - name: Dive + uses: yuichielectric/dive-action@0.0.4 + with: + github-token: ${{ secrets.GH_TOKEN }} + image: appwrite/docker-base:${{ github.sha }} diff --git a/.github/workflows/lifecycle-policy.yml b/.github/workflows/lifecycle-policy.yml new file mode 100644 index 0000000..be2d4f4 --- /dev/null +++ b/.github/workflows/lifecycle-policy.yml @@ -0,0 +1,35 @@ +# # https://github.com/marketplace/actions/delete-package-versions +# # Ignore SemVer tags (proper releases) +# # Keep 7 sha tagged images (ordred by publish datetime) + +# name: Container Lifecycle Policy + +# on: +# schedule: +# - cron: '30 9 * * *' + +# permissions: +# contents: read + +# env: +# IMAGE_NAME: appwrite/base +# REGISTRY: docker.io + +# jobs: +# prune_sha_tagged_images: +# runs-on: ubuntu-24.04 +# steps: +# - name: Login to DockerHub +# uses: docker/login-action@v4 +# with: +# username: ${{ secrets.DOCKERHUB_USERNAME }} +# password: ${{ secrets.DOCKERHUB_TOKEN }} + +# # https://github.com/marketplace/actions/delete-package-versions#delete-oldest-x-number-of-versions-while-ignoring-particular-package-versions +# # Ignore SemVer tagged images https://ihateregex.io/expr/semver/ +# - uses: actions/delete-package-versions@v5 +# with: +# ignore-versions: '^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$' +# min-versions-to-keep: 7 +# package-name: 'base' +# package-type: 'container' diff --git a/.github/workflows/scheduled-trivy.yml b/.github/workflows/scheduled-trivy.yml index 9fdcd5f..c7140cf 100644 --- a/.github/workflows/scheduled-trivy.yml +++ b/.github/workflows/scheduled-trivy.yml @@ -19,7 +19,7 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@v6.0.2 diff --git a/.github/workflows/container-structure-test.yml b/.github/workflows/structure-test.yml similarity index 93% rename from .github/workflows/container-structure-test.yml rename to .github/workflows/structure-test.yml index 70374b5..b296d7d 100644 --- a/.github/workflows/container-structure-test.yml +++ b/.github/workflows/structure-test.yml @@ -8,8 +8,8 @@ env: TAG: ${{ github.event.release.tag_name }} jobs: - container_structure_test: - runs-on: ubuntu-latest + structure_test: + runs-on: ubuntu-24.04 steps: - name: Checkout the repo uses: actions/checkout@v6.0.2 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 1f0b989..1f3569c 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -12,7 +12,7 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@v6.0.2 diff --git a/CHANGES.md b/CHANGES.md index 56af737..da2f591 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,13 +1,18 @@ # CHANGELOG -## Version 0.11.0 +## Version 1.1.0 ### Add * .dockerignore * .github/workflows/pr-scan.yml to scan all commit pushes for vulnerabilities +* .github/workflows/lifecycle-policy.yml to prune sha tagged images excluding the most recent 7 * base_image and php_build_date to containber labels * container image build action to publish image using commit sha +* container-structure-test to check PHP version (currently set to 8.5.3) +* container-structure-test to check swoole version (currently set to 6.2.0) +* SECURITY.md to align with appwrite/appwrite +* ### Change @@ -17,6 +22,7 @@ * Better noted and organized the different build processes for PHP extensions * Date component of PHP extension shared objects directory now a build argument * Dockerfile compile and final stage system packages aligned +* Github action runners pinned to Ubuntu 24.04 * ImageMagick version bumped to 7.1.2.15, tests.yaml aligned to ensure new version * PHP version bumped to 8.5.3 * Refactory multi-arch build process to prevent cross-arch builds requiring long wait times diff --git a/Dockerfile b/Dockerfile index 6e41619..884c9d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,6 @@ ENV \ PHP_REDIS_VERSION="6.3.0" \ PHP_SCRYPT_VERSION="2.0.1" \ PHP_SNAPPY_VERSION="0.2.3" \ - PHP_SWOOLE_VERSION="6.2.0" \ PHP_XDEBUG_VERSION="3.5.1" \ PHP_YAML_VERSION="2.3.0" \ PHP_ZSTD_VERSION="0.15.2" @@ -69,17 +68,6 @@ RUN \ ./configure && \ make && make install -## Swoole Extension -FROM compile AS swoole -RUN docker-php-ext-install sockets -RUN \ - git clone --depth 1 --branch "v$PHP_SWOOLE_VERSION" https://github.com/swoole/swoole-src.git && \ - cd swoole-src && \ - phpize && \ - ./configure --enable-sockets --enable-http2 --enable-openssl --enable-swoole-curl && \ - make && make install && \ - cd .. - ## Imagick Extension FROM compile AS imagick RUN \ @@ -180,7 +168,9 @@ RUN pecl install opentelemetry-${PHP_OPENTELEMETRY_VERSION} FROM compile AS protobuf RUN pecl install protobuf-${PHP_PROTOBUF_VERSION} -FROM $BASE_IMAGE AS final +# FROM $BASE_IMAGE AS final +FROM "phpswoole/swoole:php8.5-alpine" AS final + # Pass in ARGS to use as label values and path components @@ -255,7 +245,6 @@ COPY --from=protobuf /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_D COPY --from=redis /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/redis.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=scrypt /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/scrypt.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=snappy /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/snappy.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ -COPY --from=swoole /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/swoole.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=xdebug /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/xdebug.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=yaml /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/yaml.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ COPY --from=zstd /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/zstd.so /usr/local/lib/php/extensions/no-debug-non-zts-$PHP_BUILD_DATE/ @@ -273,7 +262,6 @@ RUN docker-php-ext-enable \ redis \ scrypt \ snappy \ - swoole \ yaml \ zstd diff --git a/README.md b/README.md index 9843abc..14f3db3 100644 --- a/README.md +++ b/README.md @@ -37,27 +37,34 @@ In order to run this container you'll need the Docker runtime installed. ## Build ```shell -time docker-buildx build --no-cache --tag appwrite/base:latest . +docker-buildx build --no-cache --tag appwrite/base:latest . +# exit code 0 ``` ## Scan ```shell -trivy image --format json --pkg-types os,library --severity CRITICAL,HIGH --output trivy-image-results.json appwrite/base:latest | tee "scan-$(date +%s).log" +trivy image --format json --pkg-types os,library --severity CRITICAL,HIGH --output trivy-image-results.json appwrite/base:latest # success is a zero exit code ``` ## Test ```bash -container-structure-test test --config tests.yaml --image appwrite/base:latest | tee "test-$(date +%s).log" +container-structure-test test --config tests.yaml --image appwrite/base:latest # PASS +CI=true dive appwrite/base:latest +# Results: +# PASS: highestUserWastedPercent +# PASS: highestWastedBytes +# PASS: lowestEfficiency +# Result:PASS [Total:3] [Passed:3] [Failed:0] [Warn:0] [Skipped:0] ``` ## Run ```shell -docker run appwrite/base:latest php -m| tee "run-$(date +%s).log" +docker run appwrite/base:latest php -m # ... # yaml # Zend OPcache diff --git a/TODO.md b/TODO.md index dc22174..5a9e7b2 100644 --- a/TODO.md +++ b/TODO.md @@ -2,13 +2,8 @@ - [add dive analysis to project](https://github.com/marketplace/actions/dive-action) - audit system packages in Dockerfile -> final -- can we get pre-compiled extensions *.so -- can we merge checkout, login, setup qemu, setup buildx in build-and-push.yml -- capture build logs via ` | tee "build-$(date +%s).log"` -- changelog aligning with appwrite/appwrite -- DOCKER_BUILDKIT=1 + buildx to parallel build the PHP extensions +- can we get pre-compiled extensions *.so / extensions - install gd and run stage should be separate - use Swoole base image - xdebug as separate image `appwrite/base-xdebug` -- docker-buildx takes a VERY long time when building off-architecture (arm64 on a x86 host) vua QEMUimage a host. We want to build targeting arm using an ARM host -- push job should require all tests to pass which shoudl require build to successed. Reduce duplication of steps across jobs +- push job should require all tests to pass which should require build to successed. Reduce duplication of steps across jobs diff --git a/tests.yaml b/tests.yaml index 68b63ed..5e524f1 100644 --- a/tests.yaml +++ b/tests.yaml @@ -1,5 +1,5 @@ schemaVersion: '2.0.0' - + commandTests: - name: 'Imagemagick command' command: "magick" @@ -75,6 +75,11 @@ commandTests: - yaml - zlib - zstd + - name: 'PHP version' + command: "php" + args: ["-v"] + expectedOutput: + - "PHP 8.5.3 (cli)*" - name: 'ImageMagick supported formats' command: "php" args: ["-i"] @@ -85,8 +90,13 @@ commandTests: args: ["-r", 'print(\Normalizer::FORM_D);'] expectedOutput: - "4" + - name: 'Swoole version' + command: "php" + args: ["--re", "swoole"] + expectedOutput: + - ".*version 6.2.0.*" - name: 'ZIP' command: "zip" args: ["-v"] expectedOutput: - - "Zip 3.0 \\(July 5th 2008\\)" + - "Zip 3.0 \\(July 5th 2008\\)" \ No newline at end of file From 9ff192dbce4e7fbe0b5e6b26a99683ffd3c1ceac Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Thu, 12 Mar 2026 13:12:21 +0100 Subject: [PATCH 17/23] Working on getting Trivy report into Security Tab --- .github/workflows/build-and-push.yml | 16 ++-- .github/workflows/dive.yml | 17 +++-- .github/workflows/lifecycle-policy.yml | 59 +++++++------- .github/workflows/scheduled-trivy.yml | 24 +++--- .github/workflows/structure-test.yml | 24 +++--- .github/workflows/trivy.yml | 32 ++++---- CHANGES.md | 6 +- Dockerfile | 6 +- README.md | 4 +- SECURITY.md | 102 +++++++++++++++++++++++++ TODO.md | 11 +-- tests.yaml | 2 +- 12 files changed, 206 insertions(+), 97 deletions(-) create mode 100644 SECURITY.md diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 1a17d6c..b7750e1 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -34,11 +34,11 @@ jobs: - name: Build an image from Dockerfile run: | - docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{matrix.arch}} . + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{matrix.arch}} . - name: Push an image run: | - docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{matrix.arch}} + docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{matrix.arch}} manifest_build_and_push_on_feature: if: github.ref != 'refs/heads/main' @@ -54,13 +54,13 @@ jobs: - name: Create manifest run: | docker manifest create \ - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }} \ - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:amd64 \ - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:arm64 + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64 - name: Push manifest run: | - docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.SHA }} + docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} manifest_build_and_push_on_main: @@ -78,8 +78,8 @@ jobs: run: | docker manifest create \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} \ - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:amd64 \ - ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:arm64 + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 \ + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64 - name: Push manifest run: | diff --git a/.github/workflows/dive.yml b/.github/workflows/dive.yml index 203da84..b9ab28a 100644 --- a/.github/workflows/dive.yml +++ b/.github/workflows/dive.yml @@ -1,21 +1,26 @@ name: Dive Test -on: [pull_request] +on: push + +permissions: + contents: read + +env: + IMAGE_NAME: appwrite/base + REGISTRY: docker.io jobs: dive: - runs-on: ubuntu-latest - name: Analyze image efficiency + runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@v6.0.2 - name: Build an image from Dockerfile run: | - docker image build -t appwrite/docker-base:${{ github.sha }} . + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - name: Dive uses: yuichielectric/dive-action@0.0.4 with: - github-token: ${{ secrets.GH_TOKEN }} - image: appwrite/docker-base:${{ github.sha }} + image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' diff --git a/.github/workflows/lifecycle-policy.yml b/.github/workflows/lifecycle-policy.yml index be2d4f4..faaca1f 100644 --- a/.github/workflows/lifecycle-policy.yml +++ b/.github/workflows/lifecycle-policy.yml @@ -1,35 +1,36 @@ -# # https://github.com/marketplace/actions/delete-package-versions -# # Ignore SemVer tags (proper releases) -# # Keep 7 sha tagged images (ordred by publish datetime) +# https://github.com/marketplace/actions/delete-package-versions +# Ignore SemVer tags (proper releases) +# Keep 7 sha tagged images (ordred by publish datetime) -# name: Container Lifecycle Policy +name: Container Lifecycle Policy -# on: -# schedule: -# - cron: '30 9 * * *' +on: + schedule: + - cron: '30 9 * * *' -# permissions: -# contents: read +permissions: + contents: read -# env: -# IMAGE_NAME: appwrite/base -# REGISTRY: docker.io +env: + IMAGE_NAME: appwrite/base + REGISTRY: docker.io -# jobs: -# prune_sha_tagged_images: -# runs-on: ubuntu-24.04 -# steps: -# - name: Login to DockerHub -# uses: docker/login-action@v4 -# with: -# username: ${{ secrets.DOCKERHUB_USERNAME }} -# password: ${{ secrets.DOCKERHUB_TOKEN }} +jobs: + prune_sha_tagged_images: + runs-on: ubuntu-24.04 + steps: + - name: Login to DockerHub + uses: docker/login-action@v4 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} -# # https://github.com/marketplace/actions/delete-package-versions#delete-oldest-x-number-of-versions-while-ignoring-particular-package-versions -# # Ignore SemVer tagged images https://ihateregex.io/expr/semver/ -# - uses: actions/delete-package-versions@v5 -# with: -# ignore-versions: '^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$' -# min-versions-to-keep: 7 -# package-name: 'base' -# package-type: 'container' + # TODO pull all the images in the registry before running this. Be sure we have a backup + # # https://github.com/marketplace/actions/delete-package-versions#delete-oldest-x-number-of-versions-while-ignoring-particular-package-versions + # # Ignore SemVer tagged images https://ihateregex.io/expr/semver/ + # - uses: actions/delete-package-versions@v5 + # with: + # ignore-versions: '^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$' + # min-versions-to-keep: 7 + # package-name: 'base' + # package-type: 'container' diff --git a/.github/workflows/scheduled-trivy.yml b/.github/workflows/scheduled-trivy.yml index c7140cf..0d68700 100644 --- a/.github/workflows/scheduled-trivy.yml +++ b/.github/workflows/scheduled-trivy.yml @@ -10,15 +10,16 @@ on: - cron: '43 11 * * 6' permissions: - contents: read + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + +env: + IMAGE_NAME: appwrite/base + REGISTRY: docker.io jobs: scheduled_trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build runs-on: ubuntu-24.04 steps: - name: Checkout code @@ -26,7 +27,7 @@ jobs: - name: Build an image from Dockerfile run: | - docker image build -t appwrite/docker-base:${{ github.sha }} . + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.35.0 @@ -34,10 +35,11 @@ jobs: image-ref: 'appwrite/docker-base:${{ github.sha }}' format: 'template' template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' + output: 'trivy-image-results.sarif' severity: 'CRITICAL,HIGH' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4.32.6 + # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml + - name: Upload Trivy scan results + uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: 'trivy-results.sarif' + sarif_file: '.' diff --git a/.github/workflows/structure-test.yml b/.github/workflows/structure-test.yml index b296d7d..6a32692 100644 --- a/.github/workflows/structure-test.yml +++ b/.github/workflows/structure-test.yml @@ -1,11 +1,14 @@ +# https://github.com/marketplace/actions/container-structure-test-action name: Container Structure Test -on: [pull_request] +on: push + +permissions: + contents: read env: - REGISTRY: docker.io IMAGE_NAME: appwrite/base - TAG: ${{ github.event.release.tag_name }} + REGISTRY: docker.io jobs: structure_test: @@ -14,13 +17,12 @@ jobs: - name: Checkout the repo uses: actions/checkout@v6.0.2 - - name: Setup container-structure-test + - name: Build an image from Dockerfile run: | - curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 - chmod +x container-structure-test-linux-amd64 - sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - - name: Run container structure test - run: | - docker build -t appwrite-base-test . - container-structure-test test --image appwrite-base-test --config tests.yaml + - name: Run container structure tests + uses: plexsystems/container-structure-test-action@v0.1.0 + with: + image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} + config: tests.yaml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 1f3569c..4a5e78f 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,17 +1,19 @@ +# https://github.com/aquasecurity/trivy-action name: Push Trivy Scan on: push permissions: - contents: read + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + +env: + IMAGE_NAME: appwrite/base + REGISTRY: docker.io jobs: trivy: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - name: Build runs-on: ubuntu-24.04 steps: - name: Checkout code @@ -19,18 +21,18 @@ jobs: - name: Build an image from Dockerfile run: | - docker image build -t appwrite/docker-base:${{ github.sha }} . + docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner (sarif report) uses: aquasecurity/trivy-action@0.35.0 with: - image-ref: 'appwrite/docker-base:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' + format: 'sarif' + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' + output: 'trivy-image-results.sarif' severity: 'CRITICAL,HIGH' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4.32.6 + # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml + - name: Upload Trivy scan results + uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: 'trivy-results.sarif' + sarif_file: '.' diff --git a/CHANGES.md b/CHANGES.md index da2f591..8f2eefb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -12,20 +12,20 @@ * container-structure-test to check PHP version (currently set to 8.5.3) * container-structure-test to check swoole version (currently set to 6.2.0) * SECURITY.md to align with appwrite/appwrite -* ### Change * .github/*.yml steps updated to latest versions * .gitignore now includes log and scanning output rules -* Better document use of `docker-buildx build ...` for local builds +* Better document use of `docker buildx ...` for local builds * Better noted and organized the different build processes for PHP extensions * Date component of PHP extension shared objects directory now a build argument * Dockerfile compile and final stage system packages aligned +* Github action for container-structure-test now uses a marketplace action * Github action runners pinned to Ubuntu 24.04 * ImageMagick version bumped to 7.1.2.15, tests.yaml aligned to ensure new version * PHP version bumped to 8.5.3 -* Refactory multi-arch build process to prevent cross-arch builds requiring long wait times +* Refactored multi-arch build process to prevent cross-arch builds requiring long wait times * Swoole version bumped to 6.2.0 ### Fixes diff --git a/Dockerfile b/Dockerfile index 884c9d5..77cfb0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_IMAGE="php:8.5.3-cli-alpine3.23" +ARG BASE_IMAGE="phpswoole/swoole:php8.5-alpine" ARG PHP_BUILD_DATE="20250925" FROM $BASE_IMAGE AS compile @@ -168,9 +168,7 @@ RUN pecl install opentelemetry-${PHP_OPENTELEMETRY_VERSION} FROM compile AS protobuf RUN pecl install protobuf-${PHP_PROTOBUF_VERSION} -# FROM $BASE_IMAGE AS final -FROM "phpswoole/swoole:php8.5-alpine" AS final - +FROM $BASE_IMAGE AS final # Pass in ARGS to use as label values and path components diff --git a/README.md b/README.md index 14f3db3..9de35ed 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ In order to run this container you'll need the Docker runtime installed. ## Build ```shell -docker-buildx build --no-cache --tag appwrite/base:latest . +docker build --no-cache --tag appwrite/base:latest . # exit code 0 ``` @@ -77,7 +77,7 @@ docker run appwrite/base:latest php -m ## Push -Note: Build of the image and push to the registry shoudl be handle by automation. +Pushing a built image to a repository should be handle by automation. ```bash docker push appwrite/base:latest | tee "push-$(date +%s).log" diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..3c5864e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,102 @@ +# Security Policy + +## Supported Appwrite Versions + +| Version | Supported | +| --------- | ------------------ | +| <= 0.15.x | :x: | +| 1.0.x | :white_check_mark: | +| 1.1.x | :white_check_mark: | +| 1.2.x | :white_check_mark: | +| 1.3.x | :white_check_mark: | +| 1.4.x | :white_check_mark: | +| 1.5.x | :white_check_mark: | +| 1.6.x | :white_check_mark: | +| 1.7.x | :white_check_mark: | +| 1.8.x | :white_check_mark: | + +# Responsible Disclosure Policy + +Appwrite welcomes responsible security research and is committed to keeping our users, data, and infrastructure safe. + +## Contact + +We only accept **email** reports. Please use this address for all vulnerability reports: security@appwrite.io + +Do **not** open public GitHub issues for security problems. + +--- + +## In Scope + +| Category | Included | +|--------------------|----------| +| Production domains | `*.appwrite.io`, `*.appwrite.network`, `*.appwrite.run` | +| Open-source repos | Everything under `github.com/appwrite/*` or `github.com/utopia-php/*`| +| Official SDKs | All Appwrite-maintained SDKs and demo apps | + +--- + +## Out of Scope + +* Third-party integrations +* Rate-limit or brute-force findings +* Self-XSS or clickjacking on static marketing pages +* Missing SPF, DMARC, or DKIM records without an exploitable impact +* Vulnerabilities in dependencies with no viable exploit path + +--- + +## Safe Harbor + +We will not pursue legal action or law-enforcement involvement for research that: + +1. Targets only systems listed as in scope +2. Respects user privacy and does not exfiltrate data +3. Avoids service degradation or denial of service +4. Allows us reasonable time to remediate before public disclosure + +--- + +## Reporting Format + +Include the following for fastest triage: + +* Clear title and summary of the issue +* Step-by-step reproduction or proof-of-concept +* Impact assessment +* Affected endpoint, repo, or component +* Suggested remediation if known + +Screenshots and detailed logs are appreciated. + +--- + +## Recognition + +Discretionary swag bounties **may** be awarded, but are not guaranteed. + +--- + +## Duplicate Handling + +We will inform if a report is a duplicate and no further action will be taken. + +--- + +## Public Disclosure + +Please wait until either the fix is live or 90 days have passed since our acknowledgment, whichever comes first, before publishing details. Extensions can be arranged by mutual agreement. + +--- + +## Prohibited Actions + +* Social engineering Appwrite core team or customers +* Physical attacks on offices or data centers +* Volumetric denial of service +* Automated scanning that degrades service for other users + +--- + +Thank you for helping keep Appwrite secure. diff --git a/TODO.md b/TODO.md index 5a9e7b2..e596f05 100644 --- a/TODO.md +++ b/TODO.md @@ -1,9 +1,6 @@ # TODO -- [add dive analysis to project](https://github.com/marketplace/actions/dive-action) -- audit system packages in Dockerfile -> final -- can we get pre-compiled extensions *.so / extensions -- install gd and run stage should be separate -- use Swoole base image -- xdebug as separate image `appwrite/base-xdebug` -- push job should require all tests to pass which should require build to successed. Reduce duplication of steps across jobs +- can we get pre-compiled extensions *.so / extensions? +- xdebug as separate image `appwrite/base:XYZ-xdebug` +- Github action should only build the image once, cache it, the use it downstream. No need to build it in every job + - https://stackoverflow.com/questions/75632970/how-to-use-docker-build-in-next-step-of-github-actions-after-build-step diff --git a/tests.yaml b/tests.yaml index 5e524f1..0f8f8d0 100644 --- a/tests.yaml +++ b/tests.yaml @@ -4,7 +4,7 @@ commandTests: - name: 'Imagemagick command' command: "magick" args: ["--version"] - expectedOutput: [".*ImageMagick 7.1.2.15"] + expectedOutput: [".*ImageMagick 7.1.2.*"] - name: 'rsync command' command: "rsync" args: ["--version"] From 11abdac2434c91210797c871bb29190d26f539a5 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Thu, 12 Mar 2026 15:07:18 +0100 Subject: [PATCH 18/23] FIX scheduled trivy GH action --- .github/workflows/scheduled-trivy.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scheduled-trivy.yml b/.github/workflows/scheduled-trivy.yml index 0d68700..28620b2 100644 --- a/.github/workflows/scheduled-trivy.yml +++ b/.github/workflows/scheduled-trivy.yml @@ -29,12 +29,11 @@ jobs: run: | docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner (sarif report) uses: aquasecurity/trivy-action@0.35.0 with: - image-ref: 'appwrite/docker-base:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' + format: 'sarif' + image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' output: 'trivy-image-results.sarif' severity: 'CRITICAL,HIGH' From 36c11ed7d6b81c98409037cc982bfcf60c4741f5 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Thu, 12 Mar 2026 15:17:02 +0100 Subject: [PATCH 19/23] FIX spelling --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 8f2eefb..54e9b8f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -7,7 +7,7 @@ * .dockerignore * .github/workflows/pr-scan.yml to scan all commit pushes for vulnerabilities * .github/workflows/lifecycle-policy.yml to prune sha tagged images excluding the most recent 7 -* base_image and php_build_date to containber labels +* base_image and php_build_date to container labels * container image build action to publish image using commit sha * container-structure-test to check PHP version (currently set to 8.5.3) * container-structure-test to check swoole version (currently set to 6.2.0) From 434dbb20777acd219d3e95caaaba1834ed40291c Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Thu, 12 Mar 2026 16:38:38 +0100 Subject: [PATCH 20/23] Changes from feedback --- .github/workflows/build-and-push.yml | 6 ++-- .github/workflows/lifecycle-policy.yml | 36 --------------------- .github/workflows/scheduled-trivy.yml | 44 -------------------------- .github/workflows/trivy.yml | 13 ++++++-- .gitignore | 3 -- CHANGES.md | 3 +- Dockerfile | 8 ++--- 7 files changed, 19 insertions(+), 94 deletions(-) delete mode 100644 .github/workflows/lifecycle-policy.yml delete mode 100644 .github/workflows/scheduled-trivy.yml diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index b7750e1..1cbee3e 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -1,6 +1,9 @@ name: Build and Push -on: push +on: + push: + release: + types: [published] permissions: contents: read @@ -13,7 +16,6 @@ env: # https://learn.arm.com/learning-paths/cross-platform/github-arm-runners/actions/ jobs: build_and_push: - if: github.ref != 'refs/heads/main' runs-on: ${{ matrix.os }} strategy: matrix: diff --git a/.github/workflows/lifecycle-policy.yml b/.github/workflows/lifecycle-policy.yml deleted file mode 100644 index faaca1f..0000000 --- a/.github/workflows/lifecycle-policy.yml +++ /dev/null @@ -1,36 +0,0 @@ -# https://github.com/marketplace/actions/delete-package-versions -# Ignore SemVer tags (proper releases) -# Keep 7 sha tagged images (ordred by publish datetime) - -name: Container Lifecycle Policy - -on: - schedule: - - cron: '30 9 * * *' - -permissions: - contents: read - -env: - IMAGE_NAME: appwrite/base - REGISTRY: docker.io - -jobs: - prune_sha_tagged_images: - runs-on: ubuntu-24.04 - steps: - - name: Login to DockerHub - uses: docker/login-action@v4 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - # TODO pull all the images in the registry before running this. Be sure we have a backup - # # https://github.com/marketplace/actions/delete-package-versions#delete-oldest-x-number-of-versions-while-ignoring-particular-package-versions - # # Ignore SemVer tagged images https://ihateregex.io/expr/semver/ - # - uses: actions/delete-package-versions@v5 - # with: - # ignore-versions: '^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$' - # min-versions-to-keep: 7 - # package-name: 'base' - # package-type: 'container' diff --git a/.github/workflows/scheduled-trivy.yml b/.github/workflows/scheduled-trivy.yml deleted file mode 100644 index 28620b2..0000000 --- a/.github/workflows/scheduled-trivy.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Scheduled Trivy Scan - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '43 11 * * 6' - -permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - -env: - IMAGE_NAME: appwrite/base - REGISTRY: docker.io - -jobs: - scheduled_trivy: - runs-on: ubuntu-24.04 - steps: - - name: Checkout code - uses: actions/checkout@v6.0.2 - - - name: Build an image from Dockerfile - run: | - docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} . - - - name: Run Trivy vulnerability scanner (sarif report) - uses: aquasecurity/trivy-action@0.35.0 - with: - format: 'sarif' - image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' - output: 'trivy-image-results.sarif' - severity: 'CRITICAL,HIGH' - - # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml - - name: Upload Trivy scan results - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: '.' diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 4a5e78f..b41ee89 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,7 +1,14 @@ # https://github.com/aquasecurity/trivy-action -name: Push Trivy Scan +name: Trivy Scan -on: push +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '43 11 * * 6' permissions: contents: read # for actions/checkout to fetch code @@ -13,7 +20,7 @@ env: REGISTRY: docker.io jobs: - trivy: + scheduled_trivy: runs-on: ubuntu-24.04 steps: - name: Checkout code diff --git a/.gitignore b/.gitignore index 19f8560..485dee6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1 @@ .idea -*.log -NOTES*.md -trivy-*-results.json diff --git a/CHANGES.md b/CHANGES.md index 54e9b8f..2a49935 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,7 +6,6 @@ * .dockerignore * .github/workflows/pr-scan.yml to scan all commit pushes for vulnerabilities -* .github/workflows/lifecycle-policy.yml to prune sha tagged images excluding the most recent 7 * base_image and php_build_date to container labels * container image build action to publish image using commit sha * container-structure-test to check PHP version (currently set to 8.5.3) @@ -16,7 +15,6 @@ ### Change * .github/*.yml steps updated to latest versions -* .gitignore now includes log and scanning output rules * Better document use of `docker buildx ...` for local builds * Better noted and organized the different build processes for PHP extensions * Date component of PHP extension shared objects directory now a build argument @@ -36,4 +34,5 @@ ### Removed +* Build tools from final stage of Dockerfile * Github action to Setup QEMU as GitHub now provides native ARM runners diff --git a/Dockerfile b/Dockerfile index 77cfb0b..6ffa3cd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,8 +21,8 @@ ENV \ RUN \ apk update && \ apk upgrade && \ - apk add --no-cache --virtual .deps \ - && apk add --no-cache \ + apk add --no-cache --virtual .deps && \ + apk add --no-cache \ autoconf \ automake \ brotli-dev \ @@ -185,8 +185,8 @@ RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ RUN \ apk update && \ apk upgrade && \ - apk add --no-cache --virtual .deps \ - && apk add --no-cache \ + apk add --no-cache --virtual .deps && \ + apk add --no-cache \ autoconf \ automake \ brotli-dev \ From b7bc9f08d4654b2fcb005b7c2d2a72e2ea2ba699 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Thu, 12 Mar 2026 21:24:33 +0100 Subject: [PATCH 21/23] Feedback improvements --- .github/workflows/build-and-push.yml | 1 - Dockerfile | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 1cbee3e..d8dcbbb 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -64,7 +64,6 @@ jobs: run: | docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} - manifest_build_and_push_on_main: if: github.ref == 'refs/heads/main' needs: build_and_push diff --git a/Dockerfile b/Dockerfile index 6ffa3cd..756de43 100644 --- a/Dockerfile +++ b/Dockerfile @@ -185,7 +185,6 @@ RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ RUN \ apk update && \ apk upgrade && \ - apk add --no-cache --virtual .deps && \ apk add --no-cache \ autoconf \ automake \ From 60392bad791970083c216e73842cd35312214291 Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Thu, 12 Mar 2026 22:48:43 +0100 Subject: [PATCH 22/23] Feedback corrections --- .dive-ci => .dive-ci.yml | 0 .github/workflows/build-and-push.yml | 2 +- .github/workflows/dive.yml | 1 + CHANGES.md | 12 ++++++------ Dockerfile | 7 ++++--- README.md | 2 +- TODO.md | 2 +- 7 files changed, 14 insertions(+), 12 deletions(-) rename .dive-ci => .dive-ci.yml (100%) diff --git a/.dive-ci b/.dive-ci.yml similarity index 100% rename from .dive-ci rename to .dive-ci.yml diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index d8dcbbb..b682ac9 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -26,7 +26,7 @@ jobs: arch: arm64 steps: - name: Checkout the repo - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.2 - name: Login to DockerHub uses: docker/login-action@v4 diff --git a/.github/workflows/dive.yml b/.github/workflows/dive.yml index b9ab28a..fea47d0 100644 --- a/.github/workflows/dive.yml +++ b/.github/workflows/dive.yml @@ -23,4 +23,5 @@ jobs: - name: Dive uses: yuichielectric/dive-action@0.0.4 with: + config-file: ${{ github.workspace }}/.dive-ci.yml image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' diff --git a/CHANGES.md b/CHANGES.md index 2a49935..b2c4c28 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -18,13 +18,13 @@ * Better document use of `docker buildx ...` for local builds * Better noted and organized the different build processes for PHP extensions * Date component of PHP extension shared objects directory now a build argument +* Dockerfile base now based on `phpswoole/swoole:php8.5-alpine` * Dockerfile compile and final stage system packages aligned -* Github action for container-structure-test now uses a marketplace action -* Github action runners pinned to Ubuntu 24.04 -* ImageMagick version bumped to 7.1.2.15, tests.yaml aligned to ensure new version -* PHP version bumped to 8.5.3 +* GitHub action for container-structure-test now uses a marketplace action +* GitHub action runners pinned to Ubuntu 24.04 +* ImageMagick version bumped to 7.1.2.15 via APK +* PHP version bumped to 8.5 * Refactored multi-arch build process to prevent cross-arch builds requiring long wait times -* Swoole version bumped to 6.2.0 ### Fixes @@ -35,4 +35,4 @@ ### Removed * Build tools from final stage of Dockerfile -* Github action to Setup QEMU as GitHub now provides native ARM runners +* GitHub action to Setup QEMU as GitHub now provides native ARM runners diff --git a/Dockerfile b/Dockerfile index 756de43..77cfb0b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,8 +21,8 @@ ENV \ RUN \ apk update && \ apk upgrade && \ - apk add --no-cache --virtual .deps && \ - apk add --no-cache \ + apk add --no-cache --virtual .deps \ + && apk add --no-cache \ autoconf \ automake \ brotli-dev \ @@ -185,7 +185,8 @@ RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ RUN \ apk update && \ apk upgrade && \ - apk add --no-cache \ + apk add --no-cache --virtual .deps \ + && apk add --no-cache \ autoconf \ automake \ brotli-dev \ diff --git a/README.md b/README.md index 9de35ed..bac9ffb 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ trivy image --format json --pkg-types os,library --severity CRITICAL,HIGH --ou ```bash container-structure-test test --config tests.yaml --image appwrite/base:latest # PASS -CI=true dive appwrite/base:latest +CI=true dive --confog .dive-ci.yml appwrite/base:latest # Results: # PASS: highestUserWastedPercent # PASS: highestWastedBytes diff --git a/TODO.md b/TODO.md index e596f05..06bb501 100644 --- a/TODO.md +++ b/TODO.md @@ -2,5 +2,5 @@ - can we get pre-compiled extensions *.so / extensions? - xdebug as separate image `appwrite/base:XYZ-xdebug` -- Github action should only build the image once, cache it, the use it downstream. No need to build it in every job +- GitHub action should only build the image once, cache it, the use it downstream. No need to build it in every job - https://stackoverflow.com/questions/75632970/how-to-use-docker-build-in-next-step-of-github-actions-after-build-step From 26938475bbe890697bfcb1bbc4255eec265bf32a Mon Sep 17 00:00:00 2001 From: David J Eddy Date: Fri, 13 Mar 2026 08:19:03 +0100 Subject: [PATCH 23/23] Feedback corrections --- TODO.md | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 TODO.md diff --git a/TODO.md b/TODO.md deleted file mode 100644 index 06bb501..0000000 --- a/TODO.md +++ /dev/null @@ -1,6 +0,0 @@ -# TODO - -- can we get pre-compiled extensions *.so / extensions? -- xdebug as separate image `appwrite/base:XYZ-xdebug` -- GitHub action should only build the image once, cache it, the use it downstream. No need to build it in every job - - https://stackoverflow.com/questions/75632970/how-to-use-docker-build-in-next-step-of-github-actions-after-build-step