From d8334dee499872a2d8f61b820ac80a3f5b10a15c Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Thu, 2 Apr 2026 11:11:19 +0200 Subject: [PATCH 1/6] build: migrate to docker/github-builder reusable workflows Replace custom build-bake-publish composite action with docker/github-builder bake.yml reusable workflow. This brings SLSA provenance attestations, Cosign signing, and standardized Docker-maintained build infrastructure. - Consolidate changed-files detection into a single job - Remove Namespace Labs cloud builder dependency - Use registry-auths secret for Docker Hub and GHCR auth - Pass imageSuffix/tagPrefix via bake vars input - Simplify conditional logic in check/dev-check jobs --- .github/action/build-bake-publish/action.yml | 44 --- .github/workflows/build.yml | 366 +++++++++---------- 2 files changed, 179 insertions(+), 231 deletions(-) delete mode 100644 .github/action/build-bake-publish/action.yml diff --git a/.github/action/build-bake-publish/action.yml b/.github/action/build-bake-publish/action.yml deleted file mode 100644 index c619e89..0000000 --- a/.github/action/build-bake-publish/action.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: 'Build and Publish' -description: 'Builds Image and pushes' -inputs: - targets: - description: 'Targets' - required: true - default: '' - docker_hub_username: - description: 'Docker Hub username' - required: true - docker_hub_password: - description: 'Docker Hub password' - required: true - github_token: - description: 'GitHub token' - required: true -runs: - using: "composite" - steps: - - name: Install and configure Namespace CLI - uses: namespacelabs/nscloud-setup@v0 - - - name: Configure Namespace powered Buildx - uses: namespacelabs/nscloud-setup-buildx-action@v0 - - - name: Login into Docker Hub - shell: bash - run: echo "${{ inputs.docker_hub_password }}" | docker login -u ${{ inputs.docker_hub_username }} --password-stdin - - - name: Login into Github Docker Registry - shell: bash - run: echo "${{ inputs.github_token }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - - name: Build and push - uses: docker/bake-action@v6 - with: - push: true - targets: ${{ inputs.targets }} - no-cache: true - env: - DOCKER_BUILD_RECORD_UPLOAD: false - DOCKER_BUILD_SUMMARY: false - imageSuffix: ${{ github.event_name == 'pull_request' && '-ci-test' || '' }} - tagPrefix: ${{ github.event_name == 'pull_request' && format('{0}-', github.event.number) || '' }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cdfdc1d..212fb4e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,9 +23,13 @@ permissions: pull-requests: write jobs: - frankenphp: - name: FrankenPHP + changes: + name: Detect Changes runs-on: ubuntu-latest + outputs: + frankenphp: ${{ steps.changed-files.outputs.frankenphp_any_changed }} + fpm: ${{ steps.changed-files.outputs.fpm_any_changed }} + should_build: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'push' && github.ref == 'refs/heads/main' }} steps: - name: Checkout uses: actions/checkout@v6 @@ -34,213 +38,214 @@ jobs: id: changed-files uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 with: - files: | - docker-bake.hcl - frankenphp*/** + files_yaml: | + frankenphp: + - docker-bake.hcl + - frankenphp*/** + fpm: + - docker-bake.hcl + - fpm*/** + - nginx/** + - caddy/** + - dev/** - - name: Build - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: ./.github/action/build-bake-publish - with: - targets: frankenphp - docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} - docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} - github_token: ${{ secrets.GITHUB_TOKEN }} + frankenphp: + name: FrankenPHP + needs: [changes] + if: needs.changes.outputs.frankenphp == 'true' || needs.changes.outputs.should_build == 'true' + uses: docker/github-builder/.github/workflows/bake.yml@v1 + permissions: + contents: read + id-token: write + with: + output: image + push: true + target: frankenphp + distribute: false + vars: | + imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} + tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} + secrets: + registry-auths: | + - registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + - registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} frankenphp-otel: name: FrankenPHP with OpenTelemetry - runs-on: namespace-profile-default - needs: [frankenphp] - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Get all changed files - id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 - with: - files: | - docker-bake.hcl - frankenphp*/** - - - name: Build - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: ./.github/action/build-bake-publish - with: - targets: frankenphp-otel - docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} - docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} - github_token: ${{ secrets.GITHUB_TOKEN }} + needs: [changes, frankenphp] + if: needs.changes.outputs.frankenphp == 'true' || needs.changes.outputs.should_build == 'true' + uses: docker/github-builder/.github/workflows/bake.yml@v1 + permissions: + contents: read + id-token: write + with: + output: image + push: true + target: frankenphp-otel + distribute: false + vars: | + imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} + tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} + secrets: + registry-auths: | + - registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + - registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} fpm: name: FPM - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Get all changed files - id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 - with: - files: | - docker-bake.hcl - fpm*/** - nginx/** - caddy/** - dev/** - - - name: Build - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: ./.github/action/build-bake-publish - with: - targets: fpm - docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} - docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} - github_token: ${{ secrets.GITHUB_TOKEN }} + needs: [changes] + if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' + uses: docker/github-builder/.github/workflows/bake.yml@v1 + permissions: + contents: read + id-token: write + with: + output: image + push: true + target: fpm + distribute: false + vars: | + imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} + tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} + secrets: + registry-auths: | + - registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + - registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} fpm-otel: name: FPM with OpenTelemetry - runs-on: ubuntu-latest - needs: [fpm] - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Get all changed files - id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 - with: - files: | - docker-bake.hcl - fpm*/** - nginx/** - caddy/** - dev/** - - - name: Build - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: ./.github/action/build-bake-publish - with: - targets: fpm-otel - docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} - docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} - github_token: ${{ secrets.GITHUB_TOKEN }} + needs: [changes, fpm] + if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' + uses: docker/github-builder/.github/workflows/bake.yml@v1 + permissions: + contents: read + id-token: write + with: + output: image + push: true + target: fpm-otel + distribute: false + vars: | + imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} + tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} + secrets: + registry-auths: | + - registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + - registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} webserver: name: ${{ matrix.webserver }} - runs-on: ubuntu-latest - needs: [fpm] + needs: [changes, fpm] + if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' strategy: fail-fast: false matrix: webserver: [ caddy, nginx ] - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Get all changed files - id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 - with: - files: | - docker-bake.hcl - fpm/** - ${{ matrix.webserver }}/** - dev/** - - - name: Build - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: ./.github/action/build-bake-publish - with: - targets: ${{ matrix.webserver}} - docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} - docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} - github_token: ${{ secrets.GITHUB_TOKEN }} + uses: docker/github-builder/.github/workflows/bake.yml@v1 + permissions: + contents: read + id-token: write + with: + output: image + push: true + target: ${{ matrix.webserver }} + distribute: false + vars: | + imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} + tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} + secrets: + registry-auths: | + - registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + - registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} webserver-otel: name: ${{ matrix.webserver }} with OpenTelemetry - runs-on: ubuntu-latest - needs: [fpm-otel] + needs: [changes, fpm-otel] + if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' strategy: fail-fast: false matrix: webserver: [ caddy, nginx ] - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Get all changed files - id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 - with: - files: | - docker-bake.hcl - fpm/** - ${{ matrix.webserver }}/** - dev/** - - - name: Build - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: ./.github/action/build-bake-publish - with: - targets: ${{ matrix.webserver}}-otel - docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} - docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} - github_token: ${{ secrets.GITHUB_TOKEN }} + uses: docker/github-builder/.github/workflows/bake.yml@v1 + permissions: + contents: read + id-token: write + with: + output: image + push: true + target: ${{ matrix.webserver }}-otel + distribute: false + vars: | + imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} + tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} + secrets: + registry-auths: | + - registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + - registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} dev: name: Dev ${{ matrix.webserver }} - runs-on: ubuntu-latest - needs: [webserver-otel] + needs: [changes, webserver-otel] + if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' strategy: fail-fast: false matrix: webserver: [ caddy, nginx ] - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Get all changed files - id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 - with: - files: | - docker-bake.hcl - fpm/** - ${ matrix.webserver }/** - dev/** - - - name: Build - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: ./.github/action/build-bake-publish - with: - targets: ${{ matrix.webserver }}-dev - docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} - docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} - github_token: ${{ secrets.GITHUB_TOKEN }} + uses: docker/github-builder/.github/workflows/bake.yml@v1 + permissions: + contents: read + id-token: write + with: + output: image + push: true + target: ${{ matrix.webserver }}-dev + distribute: false + vars: | + imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} + tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} + secrets: + registry-auths: | + - registry: docker.io + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + - registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} dev-check: name: Check Dev Image runs-on: ubuntu-latest - needs: [dev] + needs: [changes, dev] + if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' steps: - name: Checkout uses: actions/checkout@v6 - - name: Get all changed files - id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 - with: - files: | - docker-bake.hcl - fpm/** - nginx/** - caddy/** - dev/** - - name: Install a binary from GitHub releases - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' uses: jaxxstorm/action-install-gh-release@v3.0.0 with: repo: GoogleContainerTools/container-structure-test @@ -249,7 +254,6 @@ jobs: chmod: 0755 - name: Determine image tag - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' id: image-tag run: | if [[ "${{ github.event_name }}" == "pull_request" ]]; then @@ -259,17 +263,16 @@ jobs: fi - name: Pull image - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' run: docker pull ${{ steps.image-tag.outputs.IMAGE_TAG }} - name: Test Dev Image - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' run: container-structure-test test --config dev/config.yaml --image ${{ steps.image-tag.outputs.IMAGE_TAG }} check: name: Test Image with Webserver ${{ matrix.webserver }} runs-on: ubuntu-latest - needs: [webserver] + needs: [changes, webserver] + if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' strategy: matrix: webserver: @@ -282,32 +285,23 @@ jobs: - name: Checkout uses: actions/checkout@v6 - - name: Get all changed files - id: changed-files - uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v46 - with: - files: | - ${{ matrix.webserver }}/** - - name: Checkout example repo uses: actions/checkout@v6 with: repository: shopwareLabs/example-docker-repository - name: Build main branch - if: github.ref == 'refs/heads/main' && (steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main') + if: github.ref == 'refs/heads/main' run: docker compose build --build-arg BASE_IMAGE=ghcr.io/shopware/docker-base:8.3-caddy - name: Build PR - if: github.ref != 'refs/heads/main' && (steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main') + if: github.ref != 'refs/heads/main' run: docker compose build --build-arg BASE_IMAGE=ghcr.io/shopware/docker-base-ci-test:${{ github.event.number }}-8.3-${{ matrix.webserver}} - name: Run image - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' run: docker compose up -d --wait - name: Wait for Webserver reachable - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' run: | attempt_counter=0 max_attempts=5 @@ -324,14 +318,12 @@ jobs: done - name: Check if shopware admin is running - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' run: curl --fail localhost:8000/admin - name: Check if shopware is running - if: steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main' run: curl --fail localhost:8000 # output logs if failed - name: Output logs - if: always() && (steps.changed-files.outputs.any_changed == 'true' || github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main') + if: always() run: docker compose logs From e46c93d8f5c46351e4e0bb56893399c360202d34 Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Thu, 2 Apr 2026 11:13:11 +0200 Subject: [PATCH 2/6] build: trigger all builds when workflow file changes --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 212fb4e..5124028 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,9 +41,11 @@ jobs: files_yaml: | frankenphp: - docker-bake.hcl + - .github/workflows/build.yml - frankenphp*/** fpm: - docker-bake.hcl + - .github/workflows/build.yml - fpm*/** - nginx/** - caddy/** From a75ceccc5a42c939f97268a3e929a937bf7ce9bf Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Thu, 2 Apr 2026 11:14:57 +0200 Subject: [PATCH 3/6] fix: add bake group blocks for matrix-expanded targets The github-builder bake workflow resolves targets by name, but matrix-expanded targets (e.g. fpm) only produce individual targets like fpm-8-2, fpm-8-3, etc. Add explicit group blocks so the original target names resolve to all their matrix variants. --- docker-bake.hcl | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docker-bake.hcl b/docker-bake.hcl index eb4e6ce..115ac32 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -14,6 +14,46 @@ variable "frankenphpMatrix" { default = [ "8.2.30", "8.3.30", "8.4.19", "8.5.4" ] } +group "frankenphp" { + targets = [ for php in frankenphpMatrix : "frankenphp-${replace(substr(php, 0, 3), ".", "-")}" ] +} + +group "frankenphp-otel" { + targets = [ for php in frankenphpMatrix : "frankenphp-otel-${replace(substr(php, 0, 3), ".", "-")}" ] +} + +group "fpm" { + targets = [ for php in phpMatrix : "fpm-${replace(substr(php, 0, 3), ".", "-")}" ] +} + +group "fpm-otel" { + targets = [ for php in phpMatrix : "fpm-otel-${replace(substr(php, 0, 3), ".", "-")}" ] +} + +group "caddy" { + targets = [ for php in phpMatrix : "caddy-${replace(substr(php, 0, 3), ".", "-")}" ] +} + +group "caddy-otel" { + targets = [ for php in phpMatrix : "caddy-otel-${replace(substr(php, 0, 3), ".", "-")}" ] +} + +group "nginx" { + targets = [ for php in phpMatrix : "nginx-${replace(substr(php, 0, 3), ".", "-")}" ] +} + +group "nginx-otel" { + targets = [ for php in phpMatrix : "nginx-otel-${replace(substr(php, 0, 3), ".", "-")}" ] +} + +group "caddy-dev" { + targets = flatten([ for php in phpMatrix : [ for node in [ "22", "24" ] : "caddy-dev-${replace(substr(php, 0, 3), ".", "-")}-${node}" ] ]) +} + +group "nginx-dev" { + targets = flatten([ for php in phpMatrix : [ for node in [ "22", "24" ] : "nginx-dev-${replace(substr(php, 0, 3), ".", "-")}-${node}" ] ]) +} + # Frankenphp target "frankenphp" { From 7268f4298f95b81356638a882518484a42687e8d Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Thu, 2 Apr 2026 11:17:40 +0200 Subject: [PATCH 4/6] fix: use individual bake targets for github-builder compatibility github-builder enforces exactly one concrete target per workflow call. Move PHP version matrix to the workflow level and pass individual target names (e.g. fpm-8-3) instead of group names. Remove now-unnecessary group blocks from docker-bake.hcl. --- .github/workflows/build.yml | 48 ++++++++++++++++++++++++++----------- docker-bake.hcl | 40 ------------------------------- 2 files changed, 34 insertions(+), 54 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5124028..240cf57 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,9 +52,13 @@ jobs: - dev/** frankenphp: - name: FrankenPHP + name: FrankenPHP ${{ matrix.php }} needs: [changes] if: needs.changes.outputs.frankenphp == 'true' || needs.changes.outputs.should_build == 'true' + strategy: + fail-fast: false + matrix: + php: [ '8-2', '8-3', '8-4', '8-5' ] uses: docker/github-builder/.github/workflows/bake.yml@v1 permissions: contents: read @@ -62,7 +66,7 @@ jobs: with: output: image push: true - target: frankenphp + target: frankenphp-${{ matrix.php }} distribute: false vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} @@ -77,9 +81,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} frankenphp-otel: - name: FrankenPHP with OpenTelemetry + name: FrankenPHP OTel ${{ matrix.php }} needs: [changes, frankenphp] if: needs.changes.outputs.frankenphp == 'true' || needs.changes.outputs.should_build == 'true' + strategy: + fail-fast: false + matrix: + php: [ '8-2', '8-3', '8-4', '8-5' ] uses: docker/github-builder/.github/workflows/bake.yml@v1 permissions: contents: read @@ -87,7 +95,7 @@ jobs: with: output: image push: true - target: frankenphp-otel + target: frankenphp-otel-${{ matrix.php }} distribute: false vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} @@ -102,9 +110,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} fpm: - name: FPM + name: FPM ${{ matrix.php }} needs: [changes] if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' + strategy: + fail-fast: false + matrix: + php: [ '8-2', '8-3', '8-4', '8-5' ] uses: docker/github-builder/.github/workflows/bake.yml@v1 permissions: contents: read @@ -112,7 +124,7 @@ jobs: with: output: image push: true - target: fpm + target: fpm-${{ matrix.php }} distribute: false vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} @@ -127,9 +139,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} fpm-otel: - name: FPM with OpenTelemetry + name: FPM OTel ${{ matrix.php }} needs: [changes, fpm] if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' + strategy: + fail-fast: false + matrix: + php: [ '8-2', '8-3', '8-4', '8-5' ] uses: docker/github-builder/.github/workflows/bake.yml@v1 permissions: contents: read @@ -137,7 +153,7 @@ jobs: with: output: image push: true - target: fpm-otel + target: fpm-otel-${{ matrix.php }} distribute: false vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} @@ -152,13 +168,14 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} webserver: - name: ${{ matrix.webserver }} + name: ${{ matrix.webserver }} ${{ matrix.php }} needs: [changes, fpm] if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' strategy: fail-fast: false matrix: webserver: [ caddy, nginx ] + php: [ '8-2', '8-3', '8-4', '8-5' ] uses: docker/github-builder/.github/workflows/bake.yml@v1 permissions: contents: read @@ -166,7 +183,7 @@ jobs: with: output: image push: true - target: ${{ matrix.webserver }} + target: ${{ matrix.webserver }}-${{ matrix.php }} distribute: false vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} @@ -181,13 +198,14 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} webserver-otel: - name: ${{ matrix.webserver }} with OpenTelemetry + name: ${{ matrix.webserver }} OTel ${{ matrix.php }} needs: [changes, fpm-otel] if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' strategy: fail-fast: false matrix: webserver: [ caddy, nginx ] + php: [ '8-2', '8-3', '8-4', '8-5' ] uses: docker/github-builder/.github/workflows/bake.yml@v1 permissions: contents: read @@ -195,7 +213,7 @@ jobs: with: output: image push: true - target: ${{ matrix.webserver }}-otel + target: ${{ matrix.webserver }}-otel-${{ matrix.php }} distribute: false vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} @@ -210,13 +228,15 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} dev: - name: Dev ${{ matrix.webserver }} + name: Dev ${{ matrix.webserver }} ${{ matrix.php }} node${{ matrix.node }} needs: [changes, webserver-otel] if: needs.changes.outputs.fpm == 'true' || needs.changes.outputs.should_build == 'true' strategy: fail-fast: false matrix: webserver: [ caddy, nginx ] + php: [ '8-2', '8-3', '8-4', '8-5' ] + node: [ '22', '24' ] uses: docker/github-builder/.github/workflows/bake.yml@v1 permissions: contents: read @@ -224,7 +244,7 @@ jobs: with: output: image push: true - target: ${{ matrix.webserver }}-dev + target: ${{ matrix.webserver }}-dev-${{ matrix.php }}-${{ matrix.node }} distribute: false vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} diff --git a/docker-bake.hcl b/docker-bake.hcl index 115ac32..eb4e6ce 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -14,46 +14,6 @@ variable "frankenphpMatrix" { default = [ "8.2.30", "8.3.30", "8.4.19", "8.5.4" ] } -group "frankenphp" { - targets = [ for php in frankenphpMatrix : "frankenphp-${replace(substr(php, 0, 3), ".", "-")}" ] -} - -group "frankenphp-otel" { - targets = [ for php in frankenphpMatrix : "frankenphp-otel-${replace(substr(php, 0, 3), ".", "-")}" ] -} - -group "fpm" { - targets = [ for php in phpMatrix : "fpm-${replace(substr(php, 0, 3), ".", "-")}" ] -} - -group "fpm-otel" { - targets = [ for php in phpMatrix : "fpm-otel-${replace(substr(php, 0, 3), ".", "-")}" ] -} - -group "caddy" { - targets = [ for php in phpMatrix : "caddy-${replace(substr(php, 0, 3), ".", "-")}" ] -} - -group "caddy-otel" { - targets = [ for php in phpMatrix : "caddy-otel-${replace(substr(php, 0, 3), ".", "-")}" ] -} - -group "nginx" { - targets = [ for php in phpMatrix : "nginx-${replace(substr(php, 0, 3), ".", "-")}" ] -} - -group "nginx-otel" { - targets = [ for php in phpMatrix : "nginx-otel-${replace(substr(php, 0, 3), ".", "-")}" ] -} - -group "caddy-dev" { - targets = flatten([ for php in phpMatrix : [ for node in [ "22", "24" ] : "caddy-dev-${replace(substr(php, 0, 3), ".", "-")}-${node}" ] ]) -} - -group "nginx-dev" { - targets = flatten([ for php in phpMatrix : [ for node in [ "22", "24" ] : "nginx-dev-${replace(substr(php, 0, 3), ".", "-")}-${node}" ] ]) -} - # Frankenphp target "frankenphp" { From 32451b41bc58587c62edab8f79e6a33d9479d864 Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Thu, 2 Apr 2026 11:19:49 +0200 Subject: [PATCH 5/6] fix: enable distribute for multi-arch builds With distribute: false, github-builder runs on a single amd64 runner and ignores platform definitions. Setting distribute: true creates a matrix entry per platform, building arm64 on native arm runners. --- .github/workflows/build.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 240cf57..b7e9b01 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -67,7 +67,7 @@ jobs: output: image push: true target: frankenphp-${{ matrix.php }} - distribute: false + distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -96,7 +96,7 @@ jobs: output: image push: true target: frankenphp-otel-${{ matrix.php }} - distribute: false + distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -125,7 +125,7 @@ jobs: output: image push: true target: fpm-${{ matrix.php }} - distribute: false + distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -154,7 +154,7 @@ jobs: output: image push: true target: fpm-otel-${{ matrix.php }} - distribute: false + distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -184,7 +184,7 @@ jobs: output: image push: true target: ${{ matrix.webserver }}-${{ matrix.php }} - distribute: false + distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -214,7 +214,7 @@ jobs: output: image push: true target: ${{ matrix.webserver }}-otel-${{ matrix.php }} - distribute: false + distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -245,7 +245,7 @@ jobs: output: image push: true target: ${{ matrix.webserver }}-dev-${{ matrix.php }}-${{ matrix.node }} - distribute: false + distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} From 68e46d68618944d9bf78e469c5d920253163457e Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Thu, 2 Apr 2026 11:20:02 +0200 Subject: [PATCH 6/6] chore: remove distribute option since true is the default --- .github/workflows/build.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b7e9b01..8ba24dd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -67,7 +67,6 @@ jobs: output: image push: true target: frankenphp-${{ matrix.php }} - distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -96,7 +95,6 @@ jobs: output: image push: true target: frankenphp-otel-${{ matrix.php }} - distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -125,7 +123,6 @@ jobs: output: image push: true target: fpm-${{ matrix.php }} - distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -154,7 +151,6 @@ jobs: output: image push: true target: fpm-otel-${{ matrix.php }} - distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -184,7 +180,6 @@ jobs: output: image push: true target: ${{ matrix.webserver }}-${{ matrix.php }} - distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -214,7 +209,6 @@ jobs: output: image push: true target: ${{ matrix.webserver }}-otel-${{ matrix.php }} - distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }} @@ -245,7 +239,6 @@ jobs: output: image push: true target: ${{ matrix.webserver }}-dev-${{ matrix.php }}-${{ matrix.node }} - distribute: true vars: | imageSuffix=${{ github.event_name == 'pull_request' && '-ci-test' || '' }} tagPrefix=${{ github.event_name == 'pull_request' && format('{0}-', github.event.pull_request.number) || '' }}