From 6c708be99da4e3cf9809c9089c058c7a227b67a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Sun, 4 Aug 2024 14:05:54 +0200 Subject: [PATCH] ci: upgrade to super-linter 6 (#952) --- .github/workflows/docker.yaml | 3 + .github/workflows/lint.yaml | 17 +- .github/workflows/static.yaml | 3 + .github/workflows/tests.yaml | 2 + Dockerfile | 3 + alpine.Dockerfile | 3 + build-static.sh | 295 +++++++++++++++++----------------- dev-alpine.Dockerfile | 2 + dev.Dockerfile | 2 + release.sh | 22 +-- reload_test.sh | 4 +- static-builder.Dockerfile | 3 + 12 files changed, 190 insertions(+), 169 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 22a5c4bf..ba7002fe 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -16,12 +16,15 @@ on: - v*.*.* workflow_dispatch: inputs: + #checkov:skip=CKV_GHA_7 version: description: 'FrankenPHP version' required: false type: string schedule: - cron: '0 4 * * *' +permissions: + contents: read env: IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }} jobs: diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 433260ca..2c1de09d 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -7,17 +7,14 @@ on: push: branches: - main - +permissions: + contents: read + packages: read + statuses: write jobs: build: name: Lint Code Base runs-on: ubuntu-latest - - permissions: - contents: read - packages: read - statuses: write - steps: - name: Checkout Code @@ -26,7 +23,7 @@ jobs: fetch-depth: 0 - name: Lint Code Base - uses: super-linter/super-linter/slim@v5 + uses: super-linter/super-linter/slim@v6.8.0 env: VALIDATE_ALL_CODEBASE: true DEFAULT_BRANCH: main @@ -36,7 +33,11 @@ jobs: VALIDATE_CPP: false VALIDATE_JSCPD: false VALIDATE_GO: false + VALIDATE_GO_MODULES: false VALIDATE_PHP_PHPCS: false VALIDATE_PHP_PHPSTAN: false VALIDATE_PHP_PSALM: false VALIDATE_TERRAGRUNT: false + # Prettier and StandardJS are incompatible + VALIDATE_JAVASCRIPT_PRETTIER: false + VALIDATE_TYPESCRIPT_PRETTIER: false diff --git a/.github/workflows/static.yaml b/.github/workflows/static.yaml index b2563e3e..f592cc56 100644 --- a/.github/workflows/static.yaml +++ b/.github/workflows/static.yaml @@ -16,12 +16,15 @@ on: - v*.*.* workflow_dispatch: inputs: + #checkov:skip=CKV_GHA_7 version: description: 'FrankenPHP version' required: false type: string schedule: - cron: '0 0 * * *' +permissions: + contents: write env: IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }} jobs: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index e9fc9a1f..271689c1 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -11,6 +11,8 @@ on: - main paths-ignore: - 'docs/**' +permissions: + contents: read jobs: tests: runs-on: ubuntu-latest diff --git a/Dockerfile b/Dockerfile index a4b48dde..774ab866 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,7 @@ # syntax=docker/dockerfile:1 +#checkov:skip=CKV_DOCKER_2 +#checkov:skip=CKV_DOCKER_3 +#checkov:skip=CKV_DOCKER_7 FROM php-base AS common WORKDIR /app diff --git a/alpine.Dockerfile b/alpine.Dockerfile index af0140bd..9918657a 100644 --- a/alpine.Dockerfile +++ b/alpine.Dockerfile @@ -1,4 +1,7 @@ # syntax=docker/dockerfile:1 +#checkov:skip=CKV_DOCKER_2 +#checkov:skip=CKV_DOCKER_3 +#checkov:skip=CKV_DOCKER_7 FROM php-base AS common ARG TARGETARCH diff --git a/build-static.sh b/build-static.sh index 26ed4ae4..25c327e7 100755 --- a/build-static.sh +++ b/build-static.sh @@ -3,138 +3,138 @@ set -o errexit set -x -if ! type "git" > /dev/null 2>&1; then - echo "The \"git\" command must be installed." - exit 1 +if ! type "git" >/dev/null 2>&1; then + echo "The \"git\" command must be installed." + exit 1 fi arch="$(uname -m)" os="$(uname -s | tr '[:upper:]' '[:lower:]')" md5binary="md5sum" if [ "${os}" = "darwin" ]; then - os="mac" - md5binary="md5 -q" + os="mac" + md5binary="md5 -q" fi -if [ "${os}" = "linux" ] && ! type "cmake" > /dev/null 2>&1; then - echo "The \"cmake\" command must be installed." - exit 1 +if [ "${os}" = "linux" ] && ! type "cmake" >/dev/null 2>&1; then + echo "The \"cmake\" command must be installed." + exit 1 fi if [ -z "${PHP_EXTENSIONS}" ]; then - if [ -n "${EMBED}" ] && [ -f "${EMBED}/composer.json" ]; then - cd "${EMBED}" - PHP_EXTENSIONS="$(composer check-platform-reqs --no-dev 2>/dev/null | grep ^ext | sed -e 's/^ext-//' -e 's/ .*//' | xargs | tr ' ' ',')" - export PHP_EXTENSIONS - cd - - else - export PHP_EXTENSIONS="apcu,bcmath,bz2,calendar,ctype,curl,dba,dom,exif,fileinfo,filter,ftp,gd,gmp,gettext,iconv,igbinary,imagick,intl,ldap,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pcntl,pdo,pdo_mysql,pdo_pgsql,pdo_sqlite,pgsql,phar,posix,protobuf,readline,redis,session,shmop,simplexml,soap,sockets,sodium,sqlite3,ssh2,sysvmsg,sysvsem,sysvshm,tidy,tokenizer,xlswriter,xml,xmlreader,xmlwriter,zip,zlib,yaml,zstd" - fi + if [ -n "${EMBED}" ] && [ -f "${EMBED}/composer.json" ]; then + cd "${EMBED}" + PHP_EXTENSIONS="$(composer check-platform-reqs --no-dev 2>/dev/null | grep ^ext | sed -e 's/^ext-//' -e 's/ .*//' | xargs | tr ' ' ',')" + export PHP_EXTENSIONS + cd - + else + export PHP_EXTENSIONS="apcu,bcmath,bz2,calendar,ctype,curl,dba,dom,exif,fileinfo,filter,ftp,gd,gmp,gettext,iconv,igbinary,imagick,intl,ldap,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pcntl,pdo,pdo_mysql,pdo_pgsql,pdo_sqlite,pgsql,phar,posix,protobuf,readline,redis,session,shmop,simplexml,soap,sockets,sodium,sqlite3,ssh2,sysvmsg,sysvsem,sysvshm,tidy,tokenizer,xlswriter,xml,xmlreader,xmlwriter,zip,zlib,yaml,zstd" + fi fi if [ -z "${PHP_EXTENSION_LIBS}" ]; then - export PHP_EXTENSION_LIBS="bzip2,freetype,libavif,libjpeg,liblz4,libwebp,libzip" + export PHP_EXTENSION_LIBS="bzip2,freetype,libavif,libjpeg,liblz4,libwebp,libzip" fi # The Brotli library must always be built as it is required by http://github.com/dunglas/caddy-cbrotli if ! echo "${PHP_EXTENSION_LIBS}" | grep -q "\bbrotli\b"; then - export PHP_EXTENSION_LIBS="${PHP_EXTENSION_LIBS},brotli" + export PHP_EXTENSION_LIBS="${PHP_EXTENSION_LIBS},brotli" fi if [ -z "${PHP_VERSION}" ]; then - export PHP_VERSION="8.3" + export PHP_VERSION="8.3" fi if [ -z "${FRANKENPHP_VERSION}" ]; then - FRANKENPHP_VERSION="$(git rev-parse --verify HEAD)" - export FRANKENPHP_VERSION + FRANKENPHP_VERSION="$(git rev-parse --verify HEAD)" + export FRANKENPHP_VERSION elif [ -d ".git/" ]; then - CURRENT_REF="$(git rev-parse --abbrev-ref HEAD)" - export CURRENT_REF + CURRENT_REF="$(git rev-parse --abbrev-ref HEAD)" + export CURRENT_REF - if echo "${FRANKENPHP_VERSION}" | grep -F -q "."; then - # Tag + if echo "${FRANKENPHP_VERSION}" | grep -F -q "."; then + # Tag - # Trim "v" prefix if any - FRANKENPHP_VERSION=${FRANKENPHP_VERSION#v} - export FRANKENPHP_VERSION + # Trim "v" prefix if any + FRANKENPHP_VERSION=${FRANKENPHP_VERSION#v} + export FRANKENPHP_VERSION - git checkout "v${FRANKENPHP_VERSION}" - else - git checkout "${FRANKENPHP_VERSION}" - fi + git checkout "v${FRANKENPHP_VERSION}" + else + git checkout "${FRANKENPHP_VERSION}" + fi fi bin="frankenphp-${os}-${arch}" if [ -n "${CLEAN}" ]; then - rm -Rf dist/ - go clean -cache + rm -Rf dist/ + go clean -cache fi # Build libphp if necessary if [ -f "dist/static-php-cli/buildroot/lib/libphp.a" ]; then - cd dist/static-php-cli + cd dist/static-php-cli else - mkdir -p dist/ - cd dist/ + mkdir -p dist/ + cd dist/ - if [ -d "static-php-cli/" ]; then - cd static-php-cli/ - git pull - else - git clone --depth 1 https://github.com/crazywhalecc/static-php-cli - cd static-php-cli/ - fi + if [ -d "static-php-cli/" ]; then + cd static-php-cli/ + git pull + else + git clone --depth 1 https://github.com/crazywhalecc/static-php-cli + cd static-php-cli/ + fi - if type "brew" > /dev/null 2>&1; then - if ! type "composer" > /dev/null; then - packages="composer" - fi - if ! type "go" > /dev/null; then - packages="${packages} go" - fi - if [ -n "${RELEASE}" ] && ! type "gh" > /dev/null 2>&1; then - packages="${packages} gh" - fi + if type "brew" >/dev/null 2>&1; then + if ! type "composer" >/dev/null; then + packages="composer" + fi + if ! type "go" >/dev/null; then + packages="${packages} go" + fi + if [ -n "${RELEASE}" ] && ! type "gh" >/dev/null 2>&1; then + packages="${packages} gh" + fi - if [ -n "${packages}" ]; then - # shellcheck disable=SC2086 - brew install --formula --quiet ${packages} - fi - fi + if [ -n "${packages}" ]; then + # shellcheck disable=SC2086 + brew install --formula --quiet ${packages} + fi + fi - composer install --no-dev -a + composer install --no-dev -a - if [ "${os}" = "linux" ]; then - extraOpts="--disable-opcache-jit" - fi + if [ "${os}" = "linux" ]; then + extraOpts="--disable-opcache-jit" + fi - if [ -n "${DEBUG_SYMBOLS}" ]; then - extraOpts="${extraOpts} --no-strip" - fi + if [ -n "${DEBUG_SYMBOLS}" ]; then + extraOpts="${extraOpts} --no-strip" + fi - ./bin/spc doctor --auto-fix - ./bin/spc download --with-php="${PHP_VERSION}" --for-extensions="${PHP_EXTENSIONS}" --for-libs="${PHP_EXTENSION_LIBS}" --ignore-cache-sources=php-src --prefer-pre-built - # shellcheck disable=SC2086 - ./bin/spc build --debug --enable-zts --build-embed ${extraOpts} "${PHP_EXTENSIONS}" --with-libs="${PHP_EXTENSION_LIBS}" + ./bin/spc doctor --auto-fix + ./bin/spc download --with-php="${PHP_VERSION}" --for-extensions="${PHP_EXTENSIONS}" --for-libs="${PHP_EXTENSION_LIBS}" --ignore-cache-sources=php-src --prefer-pre-built + # shellcheck disable=SC2086 + ./bin/spc build --debug --enable-zts --build-embed ${extraOpts} "${PHP_EXTENSIONS}" --with-libs="${PHP_EXTENSION_LIBS}" fi CGO_CFLAGS="-DFRANKENPHP_VERSION=${FRANKENPHP_VERSION} -I${PWD}/buildroot/include/ $(./buildroot/bin/php-config --includes | sed s#-I/#-I"${PWD}"/buildroot/#g)" if [ -n "${DEBUG_SYMBOLS}" ]; then - CGO_CFLAGS="-g ${CGO_CFLAGS}" + CGO_CFLAGS="-g ${CGO_CFLAGS}" fi export CGO_CFLAGS if [ "${os}" = "mac" ]; then - export CGO_LDFLAGS="-framework CoreFoundation -framework SystemConfiguration" + export CGO_LDFLAGS="-framework CoreFoundation -framework SystemConfiguration" fi CGO_LDFLAGS="${CGO_LDFLAGS} ${PWD}/buildroot/lib/libbrotlicommon.a ${PWD}/buildroot/lib/libbrotlienc.a ${PWD}/buildroot/lib/libbrotlidec.a $(./buildroot/bin/php-config --ldflags || true) $(./buildroot/bin/php-config --libs || true)" if [ "${os}" = "linux" ]; then - if echo "${PHP_EXTENSIONS}" | grep -qE "\b(intl|imagick|grpc|v8js|protobuf|mongodb|tbb)\b"; then - CGO_LDFLAGS="${CGO_LDFLAGS} -lstdc++" - fi + if echo "${PHP_EXTENSIONS}" | grep -qE "\b(intl|imagick|grpc|v8js|protobuf|mongodb|tbb)\b"; then + CGO_LDFLAGS="${CGO_LDFLAGS} -lstdc++" + fi fi export CGO_LDFLAGS @@ -144,92 +144,91 @@ export LIBPHP_VERSION cd ../ if [ "${os}" = "linux" ]; then - if [ -n "${MIMALLOC}" ]; then - # Replace musl's mallocng by mimalloc - # The default musl allocator is slow, especially when used by multi-threaded apps, - # and triggers weird bugs - # Adapted from https://www.tweag.io/blog/2023-08-10-rust-static-link-with-mimalloc/ + if [ -n "${MIMALLOC}" ]; then + # Replace musl's mallocng by mimalloc + # The default musl allocator is slow, especially when used by multi-threaded apps, + # and triggers weird bugs + # Adapted from https://www.tweag.io/blog/2023-08-10-rust-static-link-with-mimalloc/ - echo 'The USE_MIMALLOC environment variable is EXPERIMENTAL.' - echo 'This option can be removed or its behavior modified at any time.' + echo 'The USE_MIMALLOC environment variable is EXPERIMENTAL.' + echo 'This option can be removed or its behavior modified at any time.' - if [ ! -f "mimalloc/out/libmimalloc.a" ]; then - if [ -d "mimalloc" ]; then - cd mimalloc/ - git reset --hard - git clean -xdf - git fetch --tags - else - git clone https://github.com/microsoft/mimalloc.git - cd mimalloc/ - fi + if [ ! -f "mimalloc/out/libmimalloc.a" ]; then + if [ -d "mimalloc" ]; then + cd mimalloc/ + git reset --hard + git clean -xdf + git fetch --tags + else + git clone https://github.com/microsoft/mimalloc.git + cd mimalloc/ + fi - git checkout "$(git describe --tags "$(git rev-list --tags --max-count=1 || true)" || true)" + git checkout "$(git describe --tags "$(git rev-list --tags --max-count=1 || true)" || true)" - curl -f -L --retry 5 https://raw.githubusercontent.com/tweag/rust-alpine-mimalloc/b26002b49d466a295ea8b50828cb7520a71a872a/mimalloc.diff -o mimalloc.diff - patch -p1 < mimalloc.diff + curl -f -L --retry 5 https://raw.githubusercontent.com/tweag/rust-alpine-mimalloc/b26002b49d466a295ea8b50828cb7520a71a872a/mimalloc.diff -o mimalloc.diff + patch -p1 app_checksum.txt + tar -cf app.tar -C "${EMBED}" . + ${md5binary} app.tar | awk '{printf $1}' >app_checksum.txt fi cd caddy/frankenphp/ @@ -238,20 +237,20 @@ go build -buildmode=pie -tags "cgo netgo osusergo static_build" -ldflags "-linkm cd ../.. if [ -d "${EMBED}" ]; then - truncate -s 0 app.tar - truncate -s 0 app_checksum.txt + truncate -s 0 app.tar + truncate -s 0 app_checksum.txt fi -if type "upx" > /dev/null 2>&1 && [ -z "${DEBUG_SYMBOLS}" ] && [ -z "${NO_COMPRESS}" ]; then - upx --best "dist/${bin}" +if type "upx" >/dev/null 2>&1 && [ -z "${DEBUG_SYMBOLS}" ] && [ -z "${NO_COMPRESS}" ]; then + upx --best "dist/${bin}" fi "dist/${bin}" version if [ -n "${RELEASE}" ]; then - gh release upload "v${FRANKENPHP_VERSION}" "dist/${bin}" --repo dunglas/frankenphp --clobber + gh release upload "v${FRANKENPHP_VERSION}" "dist/${bin}" --repo dunglas/frankenphp --clobber fi if [ -n "${CURRENT_REF}" ]; then - git checkout "${CURRENT_REF}" + git checkout "${CURRENT_REF}" fi diff --git a/dev-alpine.Dockerfile b/dev-alpine.Dockerfile index d19e188d..f630ef68 100644 --- a/dev-alpine.Dockerfile +++ b/dev-alpine.Dockerfile @@ -1,4 +1,6 @@ # syntax=docker/dockerfile:1 +#checkov:skip=CKV_DOCKER_2 +#checkov:skip=CKV_DOCKER_3 FROM golang:1.22-alpine ENV CFLAGS="-ggdb3" diff --git a/dev.Dockerfile b/dev.Dockerfile index 7afef170..3e7142fe 100644 --- a/dev.Dockerfile +++ b/dev.Dockerfile @@ -1,4 +1,6 @@ # syntax=docker/dockerfile:1 +#checkov:skip=CKV_DOCKER_2 +#checkov:skip=CKV_DOCKER_3 FROM golang:1.22 ENV CFLAGS="-ggdb3" diff --git a/release.sh b/release.sh index fe4cfc30..10d9e71b 100755 --- a/release.sh +++ b/release.sh @@ -9,25 +9,25 @@ set -o errtrace set -o pipefail set -o xtrace -if ! type "git" > /dev/null; then - echo "The \"git\" command must be installed." - exit 1 +if ! type "git" >/dev/null; then + echo "The \"git\" command must be installed." + exit 1 fi -if ! type "gh" > /dev/null; then - echo "The \"gh\" command must be installed." - exit 1 +if ! type "gh" >/dev/null; then + echo "The \"gh\" command must be installed." + exit 1 fi if [[ $# -ne 1 ]]; then - echo "Usage: ./release.sh version" >&2 - exit 1 + echo "Usage: ./release.sh version" >&2 + exit 1 fi # Adapted from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string if [[ ! $1 =~ ^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(\+([0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*))?$ ]]; then - echo "Invalid version number: $1" >&2 - exit 1 + echo "Invalid version number: $1" >&2 + exit 1 fi git checkout main @@ -44,6 +44,6 @@ git tag -s -m "Version $1" "caddy/v$1" git push --follow-tags tags=$(git tag --list --sort=-version:refname 'v*') -previous_tag=$(awk 'NR==2 {print;exit}' <<< "${tags}") +previous_tag=$(awk 'NR==2 {print;exit}' <<<"${tags}") gh release create --draft --generate-notes --latest --notes-start-tag "${previous_tag}" --verify-tag "v$1" diff --git a/reload_test.sh b/reload_test.sh index d35ff7a6..01c78ff7 100755 --- a/reload_test.sh +++ b/reload_test.sh @@ -1,4 +1,4 @@ #!/bin/bash -for ((i = 0 ; i < 100 ; i++)); do - curl --no-progress-meter -o /dev/null http://localhost:2019/config/apps/frankenphp -: --no-progress-meter -o /dev/null -H 'Cache-Control: must-revalidate' -H 'Content-Type: application/json' --data-binary '{"workers":[{"file_name":"./index.php"}]}' -X PATCH http://localhost:2019/config/apps/frankenphp +for ((i = 0; i < 100; i++)); do + curl --no-progress-meter -o /dev/null http://localhost:2019/config/apps/frankenphp -: --no-progress-meter -o /dev/null -H 'Cache-Control: must-revalidate' -H 'Content-Type: application/json' --data-binary '{"workers":[{"file_name":"./index.php"}]}' -X PATCH http://localhost:2019/config/apps/frankenphp done diff --git a/static-builder.Dockerfile b/static-builder.Dockerfile index 723b12f7..79c9b5e4 100644 --- a/static-builder.Dockerfile +++ b/static-builder.Dockerfile @@ -1,4 +1,7 @@ # syntax=docker/dockerfile:1 +#checkov:skip=CKV_DOCKER_2 +#checkov:skip=CKV_DOCKER_3 +#checkov:skip=CKV_DOCKER_7 FROM golang-base ARG TARGETARCH