diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e2df36b3..2ceac5e1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,3 +38,77 @@ jobs: if: ${{startsWith(github.ref, 'refs/tags/') }} with: files: pie.phar + + docker-binary-only-image: + needs: build-phar + name: Docker binary-only image + runs-on: ubuntu-latest + if: ${{ startsWith(github.ref, 'refs/tags/') }} + + permissions: + # attestations:write is required for build provenance attestation. + attestations: write + # id-token:write is required for build provenance attestation. + id-token: write + # packages:write is required to publish Docker images to GitHub's registry. + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Fetch built PHAR from artifacts + uses: actions/download-artifact@v4 + with: + name: pie-${{ github.sha }}.phar + + - name: Verify the PHAR + env: + GH_TOKEN: ${{ github.token }} + run: gh attestation verify pie.phar --repo ${{ github.repository }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + flavor: | + latest=false + images: ghcr.io/${{ github.repository }} + # @TODO v1.0 Consider introducing more granular tags (major and major.minor) + # @see https://github.com/php/pie/pull/122#pullrequestreview-2477496308 + # @see https://github.com/php/pie/pull/122#discussion_r1867331273 + tags: | + type=raw,value=bin + type=semver,pattern={{version}}-bin + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + file: Dockerfile + target: standalone-binary + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..58fea808 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,4 @@ +FROM scratch AS standalone-binary + +# @TODO change to --chmod=+x when https://github.com/moby/buildkit/pull/5380 is released +COPY --chmod=0755 pie.phar /pie diff --git a/docs/usage.md b/docs/usage.md index 764a9b12..0eac8bc1 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -27,6 +27,19 @@ system: sudo curl -L --output /usr/local/bin/pie https://github.com/php/pie/releases/latest/download/pie.phar && sudo chmod +x /usr/local/bin/pie ``` +### Docker installation + +PIE is published as binary-only Docker image, so you can install it easily during your Docker build: + +```Dockerfile +COPY --from=ghcr.io/php/pie:bin /pie /usr/bin/pie +``` + +Instead of `bin` tag (which represents latest binary-only image) you can also use explicit version (in `x.y.z-bin` format). Use [GitHub registry](https://ghcr.io/php/pie) to find available tags. + +> [!IMPORTANT] +> Binary-only images don't include PHP runtime so you can't use them for _running_ PIE. This is just an alternative way of distributing PHAR file, you still need to satisfy PIE's runtime requirements on your own. + ## Prerequisites for PIE Running PIE requires PHP 8.1 or newer. However, you may still use PIE to install