.github/workflows/cicd.yml

# Docs: https://docs.github.com/en/actions


name: CI/CD

on:
  push:
    branches: ["master"]
  pull_request:
    branches: ["master"]


env:
  DOCKER_REGISTRY: ghcr.io
  DOCKER_IMAGE_NAME: php-nginx
  DOCKER_IMAGE_REPO: ghcr.io/${{ github.repository_owner }}/php-nginx


jobs:

  docker:
    name: Build Docker images

    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - name: Harden CI
        uses: step-security/harden-runner@v2.6.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            actions-results-receiver-production.githubapp.com:443
            auth.docker.io:443
            dl-cdn.alpinelinux.org:443
            github.com:443
            pecl.php.net:443
            production.cloudflare.docker.com:443
            productionresultssa4.blob.core.windows.net:443
            registry-1.docker.io:443

      - name: Checkout source code
        uses: actions/checkout@v3

      - name: Build Docker images
        run: ./bin/build;

      - name: Save Docker images
        run: docker image save $(docker images --format "{{.Repository}}:{{.Tag}}" "${{ env.DOCKER_IMAGE_REPO }}") | gzip -9 > docker_images.tgz

      - name: Upload Docker image artifacts
        uses: actions/upload-artifact@v3
        with:
          name: docker
          path: docker_images.tgz

  test-docker:
    name: Test Docker images

    needs: [docker]

    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.6.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443

      - name: Checkout source code
        uses: actions/checkout@v3

      - name: Download Docker image artifacts
        uses: actions/download-artifact@v3
        with:
          name: docker

      - name: Load Docker images
        run: gzip --uncompress --stdout docker_images.tgz | docker image load

      - name: Test Docker images
        run: ./bin/test;

  push-docker-repo:
    name: Push images to repository

    needs: [test-docker]
    if: github.ref == 'refs/heads/master'

    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.6.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            ghcr.io:443
            github.com:443

      # Need source code to push README file contents to Docker Hub
      - name: Checkout source code
        uses: actions/checkout@v3

      - name: Download Docker image artifacts
        uses: actions/download-artifact@v3
        with:
          name: docker

      - name: Load Docker images
        run: gzip --uncompress --stdout docker_images.tgz | docker image load

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.DOCKER_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push images
        run: |
          for image_name in $(docker images --format "{{.Repository}}:{{.Tag}}" "${{ env.DOCKER_IMAGE_REPO }}"); do
            echo "Pushing ${image_name}";
            docker push "${image_name}";
          done;

      - name: Purge untagged images
        uses: actions/delete-package-versions@v4
        with:
          package-name: ${{ env.DOCKER_IMAGE_NAME }}
          package-type: "container"
          min-versions-to-keep: 9
          delete-only-untagged-versions: true