--- name: Build binary releases concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.ref }} on: pull_request: branches: - main paths: - "docker-bake.hcl" - ".github/workflows/static.yaml" - "**cgo.go" - "**Dockerfile" - "**.c" - "**.h" - "**.sh" - "**.stub.php" push: branches: - main tags: - v*.*.* workflow_dispatch: inputs: #checkov:skip=CKV_GHA_7 version: description: "FrankenPHP version" required: false type: string schedule: - cron: "0 0 * * *" permissions: contents: read env: IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }} SPC_OPT_BUILD_ARGS: --debug GOTOOLCHAIN: local jobs: prepare: runs-on: ubuntu-24.04 outputs: push: ${{ toJson((steps.check.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')) && true || false) }} platforms: ${{ steps.matrix.outputs.platforms }} metadata: ${{ steps.matrix.outputs.metadata }} gnu_metadata: ${{ steps.matrix.outputs.gnu_metadata }} ref: ${{ steps.check.outputs.ref }} steps: - name: Get version id: check if: github.event_name == 'schedule' run: | ref="${REF}" if [[ -z "${ref}" ]]; then ref="$(gh release view --repo dunglas/frankenphp --json tagName --jq '.tagName')" fi echo "ref=${ref}" >> "${GITHUB_OUTPUT}" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF: ${{ (github.ref_type == 'tag' && github.ref_name) || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }} - uses: actions/checkout@v6 with: ref: ${{ steps.check.outputs.ref }} persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Create platforms matrix id: matrix run: | METADATA="$(docker buildx bake --print static-builder-musl | jq -c)" GNU_METADATA="$(docker buildx bake --print static-builder-gnu | jq -c)" { echo metadata="${METADATA}" echo platforms="$(jq -c 'first(.target[]) | .platforms' <<< "${METADATA}")" echo gnu_metadata="${GNU_METADATA}" } >> "${GITHUB_OUTPUT}" env: SHA: ${{ github.sha }} VERSION: ${{ steps.check.outputs.ref || 'dev' }} build-linux-musl: permissions: contents: write id-token: write attestations: write strategy: fail-fast: false matrix: platform: ${{ fromJson(needs.prepare.outputs.platforms) }} debug: [false] mimalloc: [false] include: - platform: linux/amd64 - platform: linux/amd64 debug: true - platform: linux/amd64 mimalloc: true name: Build ${{ matrix.platform }} static musl binary${{ matrix.debug && ' (debug)' || '' }}${{ matrix.mimalloc && ' (mimalloc)' || '' }} runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }} needs: [prepare] steps: - name: Prepare id: prepare run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}" env: PLATFORM: ${{ matrix.platform }} - uses: actions/checkout@v6 with: ref: ${{ needs.prepare.outputs.ref }} persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: platforms: ${{ matrix.platform }} - name: Login to DockerHub uses: docker/login-action@v3 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Set VERSION run: | if [ "${GITHUB_REF_TYPE}" == "tag" ]; then export VERSION=${GITHUB_REF_NAME:1} elif [ "${GITHUB_EVENT_NAME}" == "schedule" ]; then export VERSION="${REF}" else export VERSION=${GITHUB_SHA} fi echo "VERSION=${VERSION}" >> "${GITHUB_ENV}" env: REF: ${{ needs.prepare.outputs.ref }} - name: Build id: build uses: docker/bake-action@v6 with: pull: true load: ${{ !fromJson(needs.prepare.outputs.push) || matrix.debug || matrix.mimalloc }} source: . targets: static-builder-musl set: | ${{ matrix.debug && 'static-builder-musl.args.DEBUG_SYMBOLS=1' || '' }} ${{ matrix.mimalloc && 'static-builder-musl.args.MIMALLOC=1' || '' }} ${{ (github.event_name == 'pull_request' || matrix.platform == 'linux/arm64') && 'static-builder-musl.args.NO_COMPRESS=1' || '' }} *.tags= *.platform=${{ matrix.platform }} ${{ fromJson(needs.prepare.outputs.push) && '' || format('*.cache-from=type=gha,scope={0}-static-builder-musl{1}{2}', needs.prepare.outputs.ref || github.ref, matrix.debug && '-debug' || '', matrix.mimalloc && '-mimalloc' || '') }} ${{ fromJson(needs.prepare.outputs.push) && '' || format('*.cache-from=type=gha,scope=refs/heads/main-static-builder-musl{0}{1}', matrix.debug && '-debug' || '', matrix.mimalloc && '-mimalloc' || '') }} ${{ fromJson(needs.prepare.outputs.push) && '' || format('*.cache-to=type=gha,scope={0}-static-builder-musl{1}{2},ignore-error=true', needs.prepare.outputs.ref || github.ref, matrix.debug && '-debug' || '', matrix.mimalloc && '-mimalloc' || '') }} ${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && format('*.output=type=image,name={0},push-by-digest=true,name-canonical=true,push=true', env.IMAGE_NAME) || '' }} env: SHA: ${{ github.sha }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Workaround for https://github.com/actions/runner/pull/2477#issuecomment-1501003600 name: Export metadata if: fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc run: | mkdir -p /tmp/metadata # shellcheck disable=SC2086 digest=$(jq -r '."static-builder-musl"."containerimage.digest"' <<< ${METADATA}) touch "/tmp/metadata/${digest#sha256:}" env: METADATA: ${{ steps.build.outputs.metadata }} - name: Upload metadata if: fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc uses: actions/upload-artifact@v6 with: name: metadata-static-builder-musl-${{ steps.prepare.outputs.sanitized_platform }} path: /tmp/metadata/* if-no-files-found: error retention-days: 1 - name: Copy binary run: | # shellcheck disable=SC2034 # TODO: remove "containerimage.config.digest" fallback once all runners use buildx v0.18+ # which replaced it with "containerimage.digest" and "containerimage.descriptor" digest=$(jq -r '."static-builder-musl" | ${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && '."containerimage.digest"' || '(."containerimage.config.digest" // ."containerimage.digest")' }}' <<< "${METADATA}") docker create --platform="${PLATFORM}" --name static-builder-musl "${{ (fromJson(needs.prepare.outputs.push) && !matrix.debug && !matrix.mimalloc) && '${IMAGE_NAME}@${digest}' || '${digest}' }}" docker cp "static-builder-musl:/go/src/app/dist/${BINARY}" "${BINARY}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}" env: METADATA: ${{ steps.build.outputs.metadata }} BINARY: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }} PLATFORM: ${{ matrix.platform }} - name: Upload artifact if: ${{ !fromJson(needs.prepare.outputs.push) }} uses: actions/upload-artifact@v6 with: name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} path: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} compression-level: 0 - name: Upload assets if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') run: gh release upload "${REF}" frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} --repo dunglas/frankenphp --clobber env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }} - if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') uses: actions/attest-build-provenance@v3 with: subject-path: ${{ github.workspace }}/frankenphp-linux-* - name: Run sanity checks run: | "${BINARY}" version "${BINARY}" build-info "${BINARY}" list-modules | grep frankenphp "${BINARY}" list-modules | grep http.encoders.br "${BINARY}" list-modules | grep http.handlers.mercure "${BINARY}" list-modules | grep http.handlers.mercure "${BINARY}" list-modules | grep http.handlers.vulcain "${BINARY}" php-cli -r "echo 'Sanity check passed';" env: BINARY: ./frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }} build-linux-gnu: permissions: contents: write id-token: write attestations: write strategy: fail-fast: false matrix: platform: ${{ fromJson(needs.prepare.outputs.platforms) }} name: Build ${{ matrix.platform }} static GNU binary runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }} needs: [prepare] steps: # Inspired by https://gist.github.com/antiphishfish/1e3fbc3f64ef6f1ab2f47457d2da5d9d and https://github.com/apache/flink/blob/master/tools/azure-pipelines/free_disk_space.sh - name: Free disk space run: | set -xe sudo rm -rf /usr/share/dotnet sudo rm -rf /usr/share/swift sudo rm -rf /usr/local/lib/android sudo rm -rf /opt/ghc sudo rm -rf /usr/local/.ghcup sudo rm -rf "/usr/local/share/boost" sudo rm -rf "$AGENT_TOOLSDIRECTORY" sudo rm -rf /opt/hostedtoolcache/ sudo rm -rf /usr/local/graalvm/ sudo rm -rf /usr/local/share/powershell sudo rm -rf /usr/local/share/chromium sudo rm -rf /usr/local/lib/node_modules sudo docker image prune --all --force APT_PARAMS='sudo apt -y -qq -o=Dpkg::Use-Pty=0' $APT_PARAMS remove -y '^dotnet-.*' $APT_PARAMS remove -y '^llvm-.*' $APT_PARAMS remove -y '^php.*' $APT_PARAMS remove -y '^mongodb-.*' $APT_PARAMS remove -y '^mysql-.*' $APT_PARAMS remove -y azure-cli firefox powershell mono-devel libgl1-mesa-dri $APT_PARAMS autoremove --purge -y $APT_PARAMS autoclean $APT_PARAMS clean - name: Prepare id: prepare run: echo "sanitized_platform=${PLATFORM//\//-}" >> "${GITHUB_OUTPUT}" env: PLATFORM: ${{ matrix.platform }} - uses: actions/checkout@v6 with: ref: ${{ needs.prepare.outputs.ref }} persist-credentials: false - name: Set VERSION run: | if [ "${GITHUB_REF_TYPE}" == "tag" ]; then export VERSION=${GITHUB_REF_NAME:1} elif [ "${GITHUB_EVENT_NAME}" == "schedule" ]; then export VERSION="${REF}" else export VERSION=${GITHUB_SHA} fi echo "VERSION=${VERSION}" >> "${GITHUB_ENV}" env: REF: ${{ needs.prepare.outputs.ref }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: platforms: ${{ matrix.platform }} - name: Login to DockerHub uses: docker/login-action@v3 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Build id: build uses: docker/bake-action@v6 with: pull: true load: ${{ !fromJson(needs.prepare.outputs.push) }} source: . targets: static-builder-gnu set: | ${{ (github.event_name == 'pull_request' || matrix.platform == 'linux/arm64') && 'static-builder-gnu.args.NO_COMPRESS=1' || '' }} *.tags= *.platform=${{ matrix.platform }} ${{ fromJson(needs.prepare.outputs.push) && '' || format('*.cache-from=type=gha,scope={0}-static-builder-gnu', needs.prepare.outputs.ref || github.ref) }} ${{ fromJson(needs.prepare.outputs.push) && '' || '*.cache-from=type=gha,scope=refs/heads/main-static-builder-gnu' }} ${{ fromJson(needs.prepare.outputs.push) && '' || format('*.cache-to=type=gha,scope={0}-static-builder-gnu,ignore-error=true', needs.prepare.outputs.ref || github.ref) }} ${{ fromJson(needs.prepare.outputs.push) && format('*.output=type=image,name={0},push-by-digest=true,name-canonical=true,push=true', env.IMAGE_NAME) || '' }} env: SHA: ${{ github.sha }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Workaround for https://github.com/actions/runner/pull/2477#issuecomment-1501003600 name: Export metadata if: fromJson(needs.prepare.outputs.push) run: | mkdir -p /tmp/metadata-gnu # shellcheck disable=SC2086 digest=$(jq -r '."static-builder-gnu"."containerimage.digest"' <<< ${METADATA}) touch "/tmp/metadata-gnu/${digest#sha256:}" env: METADATA: ${{ steps.build.outputs.metadata }} - name: Upload metadata if: fromJson(needs.prepare.outputs.push) uses: actions/upload-artifact@v6 with: name: metadata-static-builder-gnu-${{ steps.prepare.outputs.sanitized_platform }} path: /tmp/metadata-gnu/* if-no-files-found: error retention-days: 1 - name: Copy all frankenphp* files run: | # shellcheck disable=SC2034 # TODO: remove "containerimage.config.digest" fallback once all runners use buildx v0.18+ # which replaced it with "containerimage.digest" and "containerimage.descriptor" digest=$(jq -r '."static-builder-gnu" | ${{ fromJson(needs.prepare.outputs.push) && '."containerimage.digest"' || '(."containerimage.config.digest" // ."containerimage.digest")' }}' <<< "${METADATA}") container_id=$(docker create --platform="${PLATFORM}" "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}") mkdir -p gh-output cd gh-output for file in $(docker run --rm "${{ fromJson(needs.prepare.outputs.push) && '${IMAGE_NAME}@${digest}' || '${digest}' }}" sh -c "ls /go/src/app/dist | grep '^frankenphp'"); do docker cp "${container_id}:/go/src/app/dist/${file}" "./${file}" done docker rm "${container_id}" mv "${BINARY}" "${BINARY}-gnu" env: METADATA: ${{ steps.build.outputs.metadata }} BINARY: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }} PLATFORM: ${{ matrix.platform }} - name: Upload artifact if: ${{ !fromJson(needs.prepare.outputs.push) }} uses: actions/upload-artifact@v6 with: name: frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu-files path: gh-output/* - name: Upload assets if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') run: gh release upload "${REF}" gh-output/* --repo dunglas/frankenphp --clobber env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} REF: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref }} - if: fromJson(needs.prepare.outputs.push) && (needs.prepare.outputs.ref || github.ref_type == 'tag') uses: actions/attest-build-provenance@v3 with: subject-path: ${{ github.workspace }}/gh-output/frankenphp-linux-*-gnu - name: Run sanity checks run: | "${BINARY}" version "${BINARY}" list-modules | grep frankenphp "${BINARY}" list-modules | grep http.encoders.br "${BINARY}" list-modules | grep http.handlers.mercure "${BINARY}" list-modules | grep http.handlers.mercure "${BINARY}" list-modules | grep http.handlers.vulcain "${BINARY}" php-cli -r "echo 'Sanity check passed';" env: BINARY: ./gh-output/frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}-gnu # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/ push: runs-on: ubuntu-24.04 needs: - prepare - build-linux-musl - build-linux-gnu if: fromJson(needs.prepare.outputs.push) steps: - name: Download metadata uses: actions/download-artifact@v7 with: pattern: metadata-static-builder-musl-* path: /tmp/metadata merge-multiple: true - name: Download GNU metadata uses: actions/download-artifact@v7 with: pattern: metadata-static-builder-gnu-* path: /tmp/metadata-gnu merge-multiple: true - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v3 if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - name: Create manifest list and push working-directory: /tmp/metadata run: | # shellcheck disable=SC2046,SC2086 docker buildx imagetools create $(jq -cr '.target."static-builder-musl".tags | map("-t " + .) | join(" ")' <<< "${METADATA}") \ $(printf "${IMAGE_NAME}@sha256:%s " *) env: METADATA: ${{ needs.prepare.outputs.metadata }} - name: Create GNU manifest list and push working-directory: /tmp/metadata-gnu run: | # shellcheck disable=SC2046,SC2086 docker buildx imagetools create $(jq -cr '.target."static-builder-gnu".tags | map("-t " + .) | join(" ")' <<< "${GNU_METADATA}") \ $(printf "${IMAGE_NAME}@sha256:%s " *) env: GNU_METADATA: ${{ needs.prepare.outputs.gnu_metadata }} - name: Inspect image run: | # shellcheck disable=SC2046,SC2086 docker buildx imagetools inspect "$(jq -cr '.target."static-builder-musl".tags | first' <<< "${METADATA}")" env: METADATA: ${{ needs.prepare.outputs.metadata }} - name: Inspect GNU image run: | # shellcheck disable=SC2046,SC2086 docker buildx imagetools inspect "$(jq -cr '.target."static-builder-gnu".tags | first' <<< "${GNU_METADATA}")-gnu" env: GNU_METADATA: ${{ needs.prepare.outputs.gnu_metadata }} build-mac: permissions: contents: write id-token: write attestations: write strategy: fail-fast: false matrix: platform: ["arm64", "x86_64"] name: Build macOS ${{ matrix.platform }} binaries runs-on: ${{ matrix.platform == 'arm64' && 'macos-15' || 'macos-15-intel' }} needs: [prepare] env: HOMEBREW_NO_AUTO_UPDATE: 1 steps: - uses: actions/checkout@v6 with: ref: ${{ needs.prepare.outputs.ref }} persist-credentials: false - uses: actions/setup-go@v6 with: # zizmor: ignore[cache-poisoning] go-version: "1.26" cache-dependency-path: | go.sum caddy/go.sum cache: ${{ github.event_name != 'release' }} - name: Set FRANKENPHP_VERSION run: | if [ "${GITHUB_REF_TYPE}" == "tag" ]; then export FRANKENPHP_VERSION=${GITHUB_REF_NAME:1} elif [ "${GITHUB_EVENT_NAME}" == "schedule" ]; then export FRANKENPHP_VERSION="${REF}" else export FRANKENPHP_VERSION=${GITHUB_SHA} fi echo "FRANKENPHP_VERSION=${FRANKENPHP_VERSION}" >> "${GITHUB_ENV}" env: REF: ${{ needs.prepare.outputs.ref }} - name: Build FrankenPHP run: ./build-static.sh env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RELEASE: ${{ (needs.prepare.outputs.ref || github.ref_type == 'tag') && '1' || '' }} NO_COMPRESS: ${{ github.event_name == 'pull_request' && '1' || '' }} - name: Upload logs if: ${{ failure() }} uses: actions/upload-artifact@v6 with: path: dist/static-php-cli/log name: static-php-cli-log-${{ matrix.platform }}-${{ github.sha }} - if: needs.prepare.outputs.ref || github.ref_type == 'tag' uses: actions/attest-build-provenance@v3 with: subject-path: ${{ github.workspace }}/dist/frankenphp-mac-* - name: Upload artifact if: github.ref_type == 'branch' uses: actions/upload-artifact@v6 with: name: frankenphp-mac-${{ matrix.platform }} path: dist/frankenphp-mac-${{ matrix.platform }} compression-level: 0 - name: Run sanity checks run: | "${BINARY}" version "${BINARY}" build-info "${BINARY}" list-modules | grep frankenphp "${BINARY}" list-modules | grep http.encoders.br "${BINARY}" list-modules | grep http.handlers.mercure "${BINARY}" list-modules | grep http.handlers.mercure "${BINARY}" list-modules | grep http.handlers.vulcain "${BINARY}" php-cli -r "echo 'Sanity check passed';" env: BINARY: dist/frankenphp-mac-${{ matrix.platform }}