zishuo/frankenphp
1
0
Fork 0
mirror of https://github.com/dunglas/frankenphp.git synced 2026-04-23 00:37:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

ci: improve security by using GHA environments (#2335)

Browse Source
This commit is contained in:
Kévin Dunglas
2026-04-08 17:58:46 +02:00
committed by GitHub
parent 359eca3fc4
commit 6f559e14d5
4 changed files with 17 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/docker.yaml
+6 -4
View File
@@ -80,6 +80,7 @@ jobs:
VERSION: ${{ (github.ref_type == 'tag' && github.ref_name) || steps.check.outputs.ref || 'dev' }}
PHP_VERSION: ${{ steps.check.outputs.php_version }}
build:
environment: dockerhub
runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
needs:
- prepare
@@ -129,8 +130,8 @@ jobs:
uses: docker/login-action@v4
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build
id: build
uses: docker/bake-action@v7
@@ -204,6 +205,7 @@ jobs:
# Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
push:
environment: dockerhub
runs-on: ubuntu-24.04
needs:
- prepare
@@ -227,8 +229,8 @@ jobs:
uses: docker/login-action@v4
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Create manifest list and push
working-directory: /tmp/metadata
run: |
.github/workflows/docs.yaml
+1
View File
@@ -16,6 +16,7 @@ concurrency:
cancel-in-progress: true
jobs:
deploy:
environment: website
runs-on: ubuntu-slim
steps:
- name: Trigger website deployment
.github/workflows/static.yaml
+9 -6
View File
@@ -84,6 +84,7 @@ jobs:
VERSION: ${{ steps.check.outputs.ref || 'dev' }}
build-linux-musl:
environment: dockerhub
permissions:
contents: write
id-token: write
@@ -121,8 +122,8 @@ jobs:
uses: docker/login-action@v4
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set VERSION
run: |
if [ "${GITHUB_REF_TYPE}" == "tag" ]; then
@@ -219,6 +220,7 @@ jobs:
BINARY: ./frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}
build-linux-gnu:
environment: dockerhub
permissions:
contents: write
id-token: write
@@ -289,8 +291,8 @@ jobs:
uses: docker/login-action@v4
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build
id: build
uses: docker/bake-action@v7
@@ -377,6 +379,7 @@ jobs:
# Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
push:
environment: dockerhub
runs-on: ubuntu-24.04
needs:
- prepare
@@ -402,8 +405,8 @@ jobs:
uses: docker/login-action@v4
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Create manifest list and push
working-directory: /tmp/metadata
run: |
.github/workflows/translate.yaml
+1
View File
@@ -13,6 +13,7 @@ permissions:
pull-requests: write
jobs:
build:
environment: translate
name: Translate Docs
runs-on: ubuntu-latest
steps: