From a141d41af75cfa92019476069c8e320f8b066948 Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Thu, 21 Nov 2024 11:23:24 +0100 Subject: [PATCH 1/9] Prepare CI job for building Docker binary-only images --- .github/workflows/release.yml | 54 +++++++++++++++++++++++++++++++++++ Dockerfile | 4 +++ 2 files changed, 58 insertions(+) create mode 100644 Dockerfile diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e2df36b3..c4032e93 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,7 @@ on: permissions: contents: read + packages: write jobs: build-phar: @@ -38,3 +39,56 @@ jobs: if: ${{startsWith(github.ref, 'refs/tags/') }} with: files: pie.phar + + docker-binary-only-image: + needs: build-phar + name: Docker binary-only image + runs-on: ubuntu-latest + if: ${{ startsWith(github.ref, 'refs/tags/') }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Restore built PHAR + uses: actions/download-artifact@v4 + with: + name: pie-${{ github.sha }}.phar + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + flavor: | + latest=false + suffix=-bin + images: ghcr.io/${{ github.repository }} + tags: | + type=raw,value=latest + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + file: Dockerfile + target: standalone-binary + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..58fea808 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,4 @@ +FROM scratch AS standalone-binary + +# @TODO change to --chmod=+x when https://github.com/moby/buildkit/pull/5380 is released +COPY --chmod=0755 pie.phar /pie From f69e736ea0e7f3489c0ea35ccd568da3e14659a2 Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Thu, 21 Nov 2024 12:01:34 +0100 Subject: [PATCH 2/9] Docs for installing in Docker builds --- docs/usage.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/usage.md b/docs/usage.md index 764a9b12..6a22ce54 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -27,6 +27,19 @@ system: sudo curl -L --output /usr/local/bin/pie https://github.com/php/pie/releases/latest/download/pie.phar && sudo chmod +x /usr/local/bin/pie ``` +### Docker installation + +PIE is published as binary-only Docker image, so you can install it easily during your Docker build: + +```Dockerfile +COPY --from=ghcr.io/php/pie:latest-bin /pie /usr/bin/pie +``` + +Instead of `latest` you can also use explicit versions like `x.y.z-bin`, `x.y-bin` or `x-bin`, depending on stability level you want to achieve. + +> [!IMPORTANT] +> Binary-only images don't include PHP runtime so you can't use them for _running_ PIE. This is just an alternative way of distributing PHAR file, you still need to satisfy PIE's runtime requirements on your own. + ## Prerequisites for PIE Running PIE requires PHP 8.1 or newer. However, you may still use PIE to install From e0c258d53b3563af89687967013260de6aafff99 Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Fri, 29 Nov 2024 11:49:57 +0100 Subject: [PATCH 3/9] Use GitHub's attestation feature for verifying PHAR --- .github/workflows/release.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c4032e93..a2126e56 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -55,6 +55,11 @@ jobs: with: name: pie-${{ github.sha }}.phar + - name: Verify the PHAR + env: + GH_TOKEN: ${{ github.token }} + run: gh attestation verify pie.phar --repo ${{ github.repository }} + - name: Set up QEMU uses: docker/setup-qemu-action@v3 From 672be39d287f5ebd9879d783df035c3446e15f61 Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Fri, 29 Nov 2024 12:04:47 +0100 Subject: [PATCH 4/9] Generate artifact attestation See: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-container-images --- .github/workflows/release.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a2126e56..6c47d2f4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,7 +6,9 @@ on: - published permissions: + attestations: write contents: read + id-token: write packages: write jobs: @@ -88,6 +90,7 @@ jobs: type=semver,pattern={{major}} - name: Build and push Docker image + id: build-and-push uses: docker/build-push-action@v5 with: context: . @@ -97,3 +100,10 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true From 383dd452ed2597b3e95049d054f9f698bf755599 Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Tue, 3 Dec 2024 10:31:22 +0100 Subject: [PATCH 5/9] Move permissions to the job level --- .github/workflows/release.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6c47d2f4..6c4cc632 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,10 +6,7 @@ on: - published permissions: - attestations: write contents: read - id-token: write - packages: write jobs: build-phar: @@ -48,6 +45,14 @@ jobs: runs-on: ubuntu-latest if: ${{ startsWith(github.ref, 'refs/tags/') }} + permissions: + # attestations:write is required to publish provenance attestations for the built Docker image + attestations: write + # id-token:write is required for logging in to the Docker registry + id-token: write + # packages:write is required to publish Docker images to GitHub's registry + packages: write + steps: - name: Checkout repository uses: actions/checkout@v4 From 99e25f852cdf3c986647e09507bf4318b90cb078 Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Tue, 3 Dec 2024 10:32:41 +0100 Subject: [PATCH 6/9] Sync step name with `release-phar` job --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6c4cc632..959cbb46 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,7 +57,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Restore built PHAR + - name: Fetch built PHAR from artifacts uses: actions/download-artifact@v4 with: name: pie-${{ github.sha }}.phar From 8585fd22391f644d7aa90307332270ea8988a7eb Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Tue, 3 Dec 2024 16:21:46 +0100 Subject: [PATCH 7/9] Use `bin` instead of `latest-bin` --- .github/workflows/release.yml | 9 ++++----- docs/usage.md | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 959cbb46..60dfc6c5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -86,13 +86,12 @@ jobs: with: flavor: | latest=false - suffix=-bin images: ghcr.io/${{ github.repository }} tags: | - type=raw,value=latest - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} + type=raw,value=bin + type=semver,pattern={{version}}-bin + type=semver,pattern={{major}}.{{minor}}-bin + type=semver,pattern={{major}}-bin - name: Build and push Docker image id: build-and-push diff --git a/docs/usage.md b/docs/usage.md index 6a22ce54..fa0d4cc6 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -32,10 +32,10 @@ sudo curl -L --output /usr/local/bin/pie https://github.com/php/pie/releases/lat PIE is published as binary-only Docker image, so you can install it easily during your Docker build: ```Dockerfile -COPY --from=ghcr.io/php/pie:latest-bin /pie /usr/bin/pie +COPY --from=ghcr.io/php/pie:bin /pie /usr/bin/pie ``` -Instead of `latest` you can also use explicit versions like `x.y.z-bin`, `x.y-bin` or `x-bin`, depending on stability level you want to achieve. +Instead of `bin` tag (which represents latest binary-only image) you can also use explicit versions like `x.y.z-bin`, `x.y-bin` or `x-bin`, depending on stability level you want to achieve. > [!IMPORTANT] > Binary-only images don't include PHP runtime so you can't use them for _running_ PIE. This is just an alternative way of distributing PHAR file, you still need to satisfy PIE's runtime requirements on your own. From 7a60979d0c26a9c88620dc0a2a152e91dbb156ad Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Tue, 3 Dec 2024 16:23:38 +0100 Subject: [PATCH 8/9] Make job permissions' descriptions in sync with `build-phar` job --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 60dfc6c5..fd4dac7f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,11 +46,11 @@ jobs: if: ${{ startsWith(github.ref, 'refs/tags/') }} permissions: - # attestations:write is required to publish provenance attestations for the built Docker image + # attestations:write is required for build provenance attestation. attestations: write - # id-token:write is required for logging in to the Docker registry + # id-token:write is required for build provenance attestation. id-token: write - # packages:write is required to publish Docker images to GitHub's registry + # packages:write is required to publish Docker images to GitHub's registry. packages: write steps: From 61ba6a88f061e0959934fd99db5b985cfbb668e3 Mon Sep 17 00:00:00 2001 From: Greg Korba Date: Wed, 4 Dec 2024 09:35:59 +0100 Subject: [PATCH 9/9] Use less granular tagging policy --- .github/workflows/release.yml | 5 +++-- docs/usage.md | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fd4dac7f..2ceac5e1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -87,11 +87,12 @@ jobs: flavor: | latest=false images: ghcr.io/${{ github.repository }} + # @TODO v1.0 Consider introducing more granular tags (major and major.minor) + # @see https://github.com/php/pie/pull/122#pullrequestreview-2477496308 + # @see https://github.com/php/pie/pull/122#discussion_r1867331273 tags: | type=raw,value=bin type=semver,pattern={{version}}-bin - type=semver,pattern={{major}}.{{minor}}-bin - type=semver,pattern={{major}}-bin - name: Build and push Docker image id: build-and-push diff --git a/docs/usage.md b/docs/usage.md index fa0d4cc6..0eac8bc1 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -35,7 +35,7 @@ PIE is published as binary-only Docker image, so you can install it easily durin COPY --from=ghcr.io/php/pie:bin /pie /usr/bin/pie ``` -Instead of `bin` tag (which represents latest binary-only image) you can also use explicit versions like `x.y.z-bin`, `x.y-bin` or `x-bin`, depending on stability level you want to achieve. +Instead of `bin` tag (which represents latest binary-only image) you can also use explicit version (in `x.y.z-bin` format). Use [GitHub registry](https://ghcr.io/php/pie) to find available tags. > [!IMPORTANT] > Binary-only images don't include PHP runtime so you can't use them for _running_ PIE. This is just an alternative way of distributing PHAR file, you still need to satisfy PIE's runtime requirements on your own.