2026-05-30 21:43:06 +00:00
6 changed files with 55 additions and 18 deletions
@@ -1,3 +1,6 @@
+# Build descriptors (not application code)
+Dockerfile*
+
 # Version control
 .git
 .gitea
@@ -73,10 +73,30 @@ jobs:
          username: ${{ gitea.actor }}
          password: ${{ secrets.REGISTRY_TOKEN }}

+      # Build a single-arch image locally so Trivy can inspect it before the real push.
+      - name: Build local image for scanning
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: final
+          platforms: linux/amd64
+          load: true
+          tags: scan-target:${{ inputs.tag }}
+          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ gitea.repository }}:buildcache
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: scan-target:${{ inputs.tag }}
+          format: table
+          exit-code: '1'
+          severity: CRITICAL,HIGH
+
      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
+          target: final
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
@@ -1,7 +1,7 @@
 FROM dunglas/frankenphp:1-php8.4-alpine AS base

 RUN apk add --no-cache icu-dev libzip-dev \
-    && docker-php-ext-install -j$(nproc) intl \
+    && docker-php-ext-install -j$(nproc) intl zip \
    && apk del icu-dev libzip-dev \
    && apk add --no-cache curl icu-libs libzip

@@ -25,21 +25,6 @@ RUN composer dump-autoload --optimize --no-dev --no-interaction && \
    mkdir -p var/cache var/log && \
    APP_ENV=prod APP_SECRET=placeholder php bin/console cache:warmup --no-debug

-# ── dev stage (all deps + Xdebug, source is mounted at runtime) ───────────────
-FROM base AS dev
-COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
-RUN apk add --no-cache ${PHPIZE_DEPS} linux-headers \
-    && pecl install xdebug \
-    && docker-php-ext-enable xdebug \
-    && apk del ${PHPIZE_DEPS}
-COPY docker/php/xdebug.ini /usr/local/etc/php/conf.d/docker-xdebug.ini
-COPY docker/frankenphp/Caddyfile.dev /etc/caddy/Caddyfile
-COPY composer.json composer.lock* ./
-RUN composer install --no-scripts --no-interaction --prefer-dist
-EXPOSE 8080
-ENV APP_ENV=dev APP_DEBUG=1
-CMD ["frankenphp", "run", "--config", "/etc/caddy/Caddyfile"]
-
 # ── final (prod) stage — no composer binary ────────────────────────────────────
 FROM base AS final

@@ -47,7 +32,11 @@ RUN addgroup -S app && adduser -S -G app app

 COPY --from=build /app/vendor /app/vendor
 COPY --from=build /app/var/cache/prod /app/var/cache/prod
-COPY . .
+COPY bin/ ./bin/
+COPY config/ ./config/
+COPY public/ ./public/
+COPY src/ ./src/
+COPY composer.json composer.lock ./
 COPY docker/frankenphp/Caddyfile /etc/caddy/Caddyfile

 RUN mkdir -p var/cache/prod/pools var/log && chown -R app:app /app
@@ -0,0 +1,24 @@
+FROM dunglas/frankenphp:1-php8.4-alpine
+
+RUN apk add --no-cache icu-dev libzip-dev \
+    && docker-php-ext-install -j$(nproc) intl zip \
+    && apk del icu-dev libzip-dev \
+    && apk add --no-cache curl icu-libs libzip
+
+COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
+
+RUN apk add --no-cache ${PHPIZE_DEPS} linux-headers \
+    && pecl install xdebug \
+    && docker-php-ext-enable xdebug \
+    && apk del ${PHPIZE_DEPS}
+
+WORKDIR /app
+
+COPY docker/php/xdebug.ini /usr/local/etc/php/conf.d/docker-xdebug.ini
+COPY docker/frankenphp/Caddyfile.dev /etc/caddy/Caddyfile
+COPY composer.json composer.lock* ./
+RUN composer install --no-scripts --no-interaction --prefer-dist
+
+EXPOSE 8080
+ENV APP_ENV=dev APP_DEBUG=1
+CMD ["frankenphp", "run", "--config", "/etc/caddy/Caddyfile"]
@@ -3,7 +3,7 @@
 services:
  graph:
    build:
-      target: dev
+      dockerfile: Dockerfile.dev
    volumes:
      - .:/app
      - /app/vendor        # keeps vendor from the dev image, not your local dir
@@ -28,6 +28,7 @@ services:
      interval: 30s
      timeout: 5s
      retries: 3
+      start_period: 10s

 volumes:
  cache: