Information about the automated build, test, and publishing pipeline.
This repository uses GitHub Actions to automatically build, test, and publish Docker images.
- All branches and PRs: Build and test only (no publishing)
mainbranch only: Build, test, and publish to registries
This ensures that only tested, approved changes make it to production registries.
The unified CI workflow handles both v1 and v2 variants in a single pipeline.
Runs on every push and pull request:
matrix:
variant: [v1, v2]
php-version: ['8.3', '8.1']
php-type: [fpm, cli]
php-base: [alpine, bookworm]What it does:
- Builds both v1 and v2 images
- Runs comprehensive smoke tests:
- PHP version verification
- Extension checks
- Directory permissions
- v2: s6-overlay validation
- FPM: PHP-FPM functionality
- Uses GitHub Actions cache for faster builds
- Fails fast if any variant fails
Runs only on main branch after successful build-and-test:
matrix:
variant: [v1, v2]
php-version: ['8.3', '8.2', '8.1', '7']
php-type: [fpm, cli, apache]
php-base: [alpine, bookworm, bullseye]What it does:
- Builds multi-architecture images (amd64, arm64, arm/v7)
- Publishes to three registries:
- Docker Hub:
docker.io/kingpin/php-docker - GitHub Container Registry:
ghcr.io/kingpin/php-docker - Quay.io:
quay.io/kingpinx1/php-docker
- Docker Hub:
- Runs Trivy security scanner
- Uploads SARIF results to GitHub Security
To enable publishing, configure these GitHub repository secrets:
| Secret | Description | Used For |
|---|---|---|
DOCKERHUB_USERNAME |
Docker Hub username | Docker Hub login |
DOCKERHUB_TOKEN |
Docker Hub access token | Docker Hub authentication |
QUAY_USERNAME |
Quay.io username | Quay.io login |
QUAY_ROBOT_TOKEN |
Quay.io robot account token | Quay.io authentication |
Note: GITHUB_TOKEN is automatically provided by GitHub Actions for GHCR.
- Go to repository Settings → Secrets and variables → Actions
- Click New repository secret
- Add each secret with its value
- Ensure secrets are available to workflows
Two legacy workflows exist for manual triggering:
docker-image.v1.yml- Build v1 images manuallydocker-image.v2.yml- Build v2 images manually
These run only via workflow_dispatch (manual trigger) and don't publish automatically.
Recommended settings for main branch:
- Require pull request reviews: At least 1 approval
- Require status checks:
build-and-testmust pass- All matrix jobs must succeed
- Require branches to be up to date: Enable
- Restrict who can push: Limit to maintainers
This prevents accidental publishing of broken images.
When you open a PR, CI will:
- Build all matrix combinations
- Run smoke tests on each variant
- Report pass/fail status
- Will NOT publish images
Pushing to any branch (not just main) will:
- Trigger build-and-test job
- Run all smoke tests
- Will NOT publish images
Only merging to main triggers publishing.
Every published image is scanned with Trivy:
- uses: aquasecurity/trivy-action@master
with:
scan-type: image
severity: 'CRITICAL,HIGH'
format: 'sarif'Results appear in:
- GitHub Security tab
- PR checks (if scanning fails)
The workflow uses GitHub Actions cache to speed up builds:
cache-from: type=gha,scope=${{ matrix.variant }}-...
cache-to: type=gha,mode=max,scope=${{ matrix.variant }}-...Benefits:
- Faster builds (layer caching)
- Reduced CI minutes
- Per-variant cache isolation
When changes merge to main:
- Build-and-test runs (all variants)
- If all tests pass → Publish job starts
- For each matrix combination:
- Build multi-arch image
- Tag for all three registries
- Push to Docker Hub, GHCR, and Quay.io
- Run Trivy scan
- Upload security results
- Images available within ~15-20 minutes
Published tags follow this format:
v1: {php-version}-{type}-{os}
v2: {php-version}-{type}-{os}-v2
Examples:
8.3-fpm-alpine(v1)8.3-fpm-alpine-v2(v2)8.2-cli-bookworm(v1)8.2-cli-bookworm-v2(v2)
No :latest tag is currently published to avoid ambiguity.
View workflow runs:
- Go to repository Actions tab
- Select Docker CI (v1 + v2) workflow
- Click any run to see details
- Check individual job logs for debugging
The README includes a status badge:
[](https://github.com/kingpin/php-docker/actions/workflows/docker-ci.yml)Shows current build status for main branch.
Check:
- Error messages in job logs
- Smoke test failures
- Build argument issues
Common fixes:
- Ensure Dockerfile syntax is correct
- Verify build args are passed correctly
- Check if extensions install properly
Check:
- Registry secrets are configured
- Secrets have correct permissions
- Registry quotas/limits not exceeded
Common fixes:
- Regenerate registry tokens
- Verify secret names match workflow
- Check registry status pages
Optimize:
- Cache is working (check logs for "cache hit")
- Reduce matrix size for PRs if needed
- Use buildx cache features
When modifying workflows:
- Test changes in a fork first
- Use small matrix for initial testing
- Verify secrets aren't exposed in logs
- Update this documentation