feat: multi-arch builds with cosign provenance and image signature

Author: fontebasso

.github/workflows/docker-image-release.yml

@@ -1,67 +1,86 @@
-name: Docker Cloud Build
+name: Docker Provenance Multi-Arch Build
 
 on:
   release:
     types:
       - published
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
-  docker:
-    runs-on: ubuntu-latest
+  build:
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+          - arch: arm64
+            runner: ubuntu-24.04-arm64
+
+    runs-on: ${{ matrix.runner }}
+    outputs:
+      version: ${{ steps.version.outputs.tag }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Extract release version
+        id: version
+        run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
+
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up Docker Buildx (cloud driver)
+      - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
-          version: lab:latest
-          driver: cloud
-          endpoint: fontebasso/multiarch-builder
+          install: true
 
-      - name: Extract release version
-        id: version
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-
-      - name: Build for amd64
+      - name: Build and push image with provenance for ${{ matrix.arch }}
         uses: docker/build-push-action@v6
         with:
           context: .
-          tags: |
-            fontebasso/php-nginx:${{ env.RELEASE_VERSION }}-amd64
-          platforms: linux/amd64
+          platforms: linux/${{ matrix.arch }}
+          tags: fontebasso/php-nginx:${{ steps.version.outputs.tag }}-${{ matrix.arch }}
           push: true
-          attestations: |
-            type=provenance,mode=max
+          provenance: true
 
-      - name: Build for arm64
-        uses: docker/build-push-action@v6
+  merge:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Extract release version
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
         with:
-          context: .
-          tags: |
-            fontebasso/php-nginx:${{ env.RELEASE_VERSION }}-arm64
-          platforms: linux/arm64
-          push: true
-          attestations: |
-            type=provenance,mode=max
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Merge and push multi-arch
+      - name: Merge multi-arch image
         run: |
           docker buildx imagetools create \
-            --tag fontebasso/php-nginx:${{ env.RELEASE_VERSION }} \
+            --tag fontebasso/php-nginx:${RELEASE_VERSION} \
             --tag fontebasso/php-nginx:latest \
-            fontebasso/php-nginx:${{ env.RELEASE_VERSION }}-amd64 \
-            fontebasso/php-nginx:${{ env.RELEASE_VERSION }}-arm64
+            fontebasso/php-nginx:${RELEASE_VERSION}-amd64 \
+            fontebasso/php-nginx:${RELEASE_VERSION}-arm64
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Sign image using GitHub OIDC
+        run: cosign sign --yes --key github docker.io/fontebasso/php-nginx:${RELEASE_VERSION}
 
-      - name: Clean up intermediate tags
+      - name: Generate and attach SLSA Provenance
         run: |
-          docker logout
-          echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin
-          docker rmi fontebasso/php-nginx:${{ env.RELEASE_VERSION }}-amd64 || true
-          docker rmi fontebasso/php-nginx:${{ env.RELEASE_VERSION }}-arm64 || true
+          cosign attest --yes \
+            --key github \
+            --type=provenance \
+            docker.io/fontebasso/php-nginx:${RELEASE_VERSION}

Dockerfile

@@ -7,90 +7,89 @@ ARG VERSION_OS='3.20'
 ARG VERSION_PHP='8.3'
 
 LABEL \
-    ALPINE="$VERSION_OS" \
-    PHP_VERSION="$VERSION_PHP" \
-    MAINTAINER='Samuel Fontebasso <[email protected]>'
+    maintainer="Samuel Fontebasso <[email protected]>" \
+    alpine="${VERSION_OS}" \
+    php_version="${VERSION_PHP}"
+
+ENV APP_DIR="/app"
 
 RUN set -eux; \
     apk update; \
-    apk add --no-cache --upgrade \
-       bzip2-dev \
-       ca-certificates \
-       curl \
-       curl-dev \
-       freetype-dev \
-       ghostscript \
-       git \
-       icu-dev \
-       imagemagick \
-       imagemagick-dev \
-       imagemagick-libs \
-       jpeg-dev \
-       libjpeg-turbo-dev \
-       libmcrypt-dev \
-       libpng-dev \
-       libxml2-dev \
-       libzip-dev \
-       ncurses \
-       nginx \
-       nginx-mod-http-headers-more \
-       oniguruma-dev \
-       openssl \
-       runit \
-       sqlite; \
+    apk add --no-cache \
+      ca-certificates \
+      curl \
+      git \
+      icu-dev \
+      imagemagick \
+      jpeg-dev \
+      freetype-dev \
+      libpng-dev \
+      libxml2-dev \
+      libzip-dev \
+      oniguruma-dev \
+      sqlite \
+      nginx \
+      nginx-mod-http-headers-more \
+      runit \
+      openssl \
+      libjpeg-turbo-dev \
+      ncurses; \
     apk add --no-cache --virtual .build-deps \
-       build-base \
-       gcc \
-       wget \
-       autoconf \
-       linux-headers; \
-    docker-php-ext-configure gd \
-      --with-freetype \
-      --with-jpeg; \
-    docker-php-ext-configure pcntl \
-      --enable-pcntl; \
-    docker-php-ext-install \
-        bcmath \
-        bz2 \
-        calendar \
-        exif \
-        gd \
-        opcache \
-        pcntl \
-        pdo_mysql \
-        shmop \
-        sockets \
-        sysvmsg \
-        sysvsem \
-        sysvshm \
-        zip; \
-    pecl install grpc; \
-    git clone https://github.com/Imagick/imagick.git --depth 1 /tmp/imagick; \
+      build-base \
+      autoconf \
+      linux-headers \
+      bzip2-dev \
+      curl-dev \
+      libmcrypt-dev \
+      imagemagick-dev \
+      wget \
+      gcc; \
+    docker-php-ext-configure gd --with-freetype --with-jpeg; \
+    docker-php-ext-configure pcntl --enable-pcntl; \
+    docker-php-ext-install -j$(nproc) \
+      bcmath \
+      bz2 \
+      calendar \
+      exif \
+      gd \
+      opcache \
+      pcntl \
+      pdo_mysql \
+      shmop \
+      sockets \
+      sysvmsg \
+      sysvsem \
+      sysvshm \
+      zip; \
+    git clone --depth=1 https://github.com/Imagick/imagick.git /tmp/imagick; \
     cd /tmp/imagick; \
     phpize; \
     ./configure; \
     make -j$(nproc); \
     make install; \
     docker-php-ext-enable --ini-name docker-php-ext-x-01-imagick.ini imagick; \
+    rm -rf /tmp/imagick; \
+    pecl install grpc; \
     docker-php-ext-enable --ini-name docker-php-ext-x-02-grpc.ini grpc; \
     apk del .build-deps; \
-    rm -rf /var/cache/apk/* /tmp/imagick; \
-    ln -sf /dev/stdout /var/log/nginx/access.log; \
+    rm -rf /var/cache/apk/*; \
+    rm -rf /tmp/*; \
+    rm -f /var/log/nginx/access.log; \
+    ln -sf /dev/null /var/log/nginx/access.log; \
     ln -sf /dev/stderr /var/log/nginx/error.log; \
-    mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini";
+    mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
 
 COPY ./src /
-COPY ./custom_params.ini /usr/local/etc/php/conf.d/docker-php-ext-x-02-custom-params.ini
+COPY ./custom_params.ini /usr/local/etc/php/conf.d/docker-php-ext-x-03-custom-params.ini
 
 RUN set -eux; \
     touch /env; \
-    chown -R www-data:www-data /env /app /var/log/nginx /etc/service /var/run /var/lib/nginx /run/nginx;
-
-RUN chmod +x \
-   /sbin/runit-wrapper \
-   /sbin/runsvdir-start \
-   /etc/service/nginx/run \
-   /etc/service/php-fpm/run
+    chown -R www-data:www-data /env /app /var/log/nginx /etc/service /var/run /var/lib/nginx /run/nginx; \
+    chmod +x \
+      /sbin/runit-wrapper \
+      /sbin/runsvdir-start \
+      /etc/service/nginx/run \
+      /etc/service/php-fpm/run
 
 USER www-data
 WORKDIR /app

README.md

@@ -4,21 +4,37 @@
 [![Docker Pulls](https://img.shields.io/docker/pulls/fontebasso/php-nginx)](https://hub.docker.com/r/fontebasso/php-nginx)
 [![GitHub Repo](https://img.shields.io/badge/github-repo-yellowgreen)](https://github.com/fontebasso/docker-php-nginx)
 [![GitHub License](https://img.shields.io/github/license/fontebasso/docker-php-nginx)](https://github.com/fontebasso/docker-php-nginx/blob/main/LICENSE)
+[![Signed with Sigstore](https://img.shields.io/badge/sigstore-signed-blue?logo=sigstore)](https://www.sigstore.dev)
 
 This repository contains a Docker image for running high-performance PHP web applications. It is optimized for speed, efficiency, and includes a comprehensive set of tools and libraries commonly used in web development.
 
-> This image is ready to run in production, suggestions for improvements and corrections are very welcome, see [how to contribute](CONTRIBUTING.md).
+> This image is **signed and attested using [Sigstore](https://www.sigstore.dev/)**. You can publicly verify its provenance using cosign.
 
-> If you identify a security breach, please report it as soon as possible under guidelines outlined in our [security policy](SECURITY.md).
+> If you identify a security breach, please report it as soon as possible under the guidelines outlined in our [security policy](SECURITY.md).
+
+
+## Security & Provenance
+
+This image is cryptographically signed using GitHub OIDC and cosign, and its build provenance is verifiable through the Rekor transparency log.
+
+To verify the image and its provenance:
+
+```bash
+cosign verify docker.io/fontebasso/php-nginx:latest
+cosign verify-attestation --type=provenance docker.io/fontebasso/php-nginx:latest
+```
+
+No manual setup or keys required — Cosign uses GitHub Actions identity.
 
 ## Features
 
-- **PHP 8.2**: The image uses PHP 8.2, which is optimized for performance and includes numerous features and improvements.
-- **Alpine Linux 3.16**: A minimal Docker image based on Alpine Linux for security and reduced image size.
-- **Nginx**: Fast and reliable web server.
-- **Essential PHP Extensions**: Including `bcmath`, `bz2`, `calendar`, `exif`, `gd`, `opcache`, `pdo_mysql`, `shmop`, `sockets`, `sysvmsg`, `sysvsem`, `sysvshm`, `pcntl`, `zip`, and `imagick`.
-- **Pre-installed Libraries**: `git`, `bzip2-dev`, `freetype-dev`, `icu-dev`, `imagemagick`, `jpeg-dev`, `libpng-dev`, `libressl-dev`, `libxml2-dev`, `libzip-dev`, `oniguruma-dev` and more.
-- **Runit**: Lightweight and easy-to-use init system.
+- **PHP 8.3:** Modern version with performance improvements and long-term support.
+- **Alpine Linux 3.20:** Minimal base for better security and smaller footprint.
+- **Nginx:** Fast and reliable web server.
+- **Essential PHP Extensions:** Includes `bcmath`, `bz2`, `calendar`, `exif`, `gd`, `opcache`, `pcntl`, `pdo_mysql`, `shmop`, `sockets`, `sysvmsg`, `sysvsem`, `sysvshm`, `zip`, `imagick`, `grpc`.
+- **Pre-installed Libraries:** `git`, `icu-dev`, `imagemagick`, `freetype`, `jpeg`, `libpng`, `libxml2`, `libzip`, `oniguruma`, `curl`, `nginx-mod-http-headers-more`.
+- **Runit:** Lightweight init system for process supervision.
+- **Multi-arch builds:** Supports linux/amd64 and linux/arm64.
 
 ## Getting Started
 
@@ -42,22 +58,22 @@ To run a container using this image, execute:
 docker run -d -p 8080:80 fontebasso/php-nginx:latest
 ```
 
-This command will start a container and map port 8080 on your local machine to port 80 on the container.
+This will expose Nginx on port 8080 of your local machine.
 
 ### Custom Configuration
 
 You can customize the PHP configuration by editing the custom_params.ini file and copying it to the appropriate directory:
 
 ```dockerfile
-COPY ./custom_params.ini /usr/local/etc/php/conf.d/docker-php-ext-x-02-custom-params.ini
+COPY ./custom_params.ini /usr/local/etc/php/conf.d/docker-php-ext-x-03-custom-params.ini
 ```
 
 ### Directory Structure
 
 - `/app`: The application code.
 - `/env`: Environment variables directory.
 - `/var/log/nginx`: Nginx logs.
-- `/etc/service`: Service definitions for `runit`.
+- `/etc/service`: Runit service definitions.
 
 ## Development
 
@@ -71,14 +87,18 @@ docker build -t fontebasso/php-nginx:latest .
 
 ### Building for Multiple Architectures
 
-This repository is configured to build for multiple architectures using GitHub Actions. Supported architectures:
+This repository is configured to build for:
 
 - `linux/amd64`
 - `linux/arm64`
 
+Via GitHub Actions with provenance and public signing.
+
 ### Contributing
 
-Contributions are welcome! Please fork this repository and submit a pull request with your changes.
+Pull requests are welcome! Please fork the repository and submit your improvements.
+
+We follow standard open-source contribution guidelines, and are happy to receive help improving this project.
 
 ## Maintainers