refactor: rebuild Docker image from scratch with pure Alpine, PHP and NGINX compiled from source and signed SBOM

Author: fontebasso

.github/workflows/docker-image-release.yml renamed to .github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: Docker Provenance Multi-Arch Build
+name: Docker Image Release
 
 on:
   release:
@@ -92,6 +92,42 @@ jobs:
         run: |
           cosign sign --yes docker.io/fontebasso/php-nginx@${{ steps.push.outputs.digest }}
 
+  attach-sbom:
+    name: Generate and Attach SBOM
+    needs: merge-multiarch
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Syft
+        uses: anchore/sbom-action/[email protected]
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Generate SBOM (Syft JSON)
+        run: |
+          syft docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} \
+            -o spdx-json > sbom.spdx.json
+
+      - name: Attach SBOM to image
+        run: |
+          cosign attach sbom \
+            --sbom sbom.spdx.json \
+            docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }}
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: 'sbom'
+          path: sbom.spdx.json
+
+      - name: Sign SBOM
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          cosign sign --yes \
+            --attachment sbom \
+            docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }}
+
   generate-provenance:
     name: Generate SLSA Provenance v1.1
     needs: merge-multiarch
@@ -104,7 +140,50 @@ jobs:
       registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
       registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
     permissions:
+      packages: write
       id-token: write
       contents: read
-      packages: write
       actions: read
+
+  publish-assets:
+    name: Publish SBOM and Provenance to Release
+    needs: [ attach-sbom, generate-provenance, merge-multiarch ]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Extract release version
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Download provenance from registry
+        run: |
+          cosign download attestation \
+            docker.io/fontebasso/php-nginx@${{ needs.merge-multiarch.outputs.digest }} \
+            --output-file provenance.intoto.jsonl
+
+      - name: Download SBOM artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: 'sbom'
+
+      - name: Save digest to file
+        run: echo "${{ needs.merge-multiarch.outputs.digest }}" > digest.txt
+
+      - name: Generate checksums
+        run: |
+          sha256sum \
+            provenance.intoto.jsonl \
+            sbom.spdx.json \
+            digest.txt > checksums.txt
+
+      - name: Upload release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            provenance.intoto.jsonl
+            sbom.spdx.json
+            digest.txt
+            checksums.txt

Dockerfile

@@ -1,104 +1,190 @@
-ARG NAME_IMAGE_BASE='php'
-ARG NAME_IMAGE_TAG='8.3-fpm-alpine3.20'
+ARG ALPINE_VERSION=3.21
+ARG PHP_VERSION=8.3.20
+ARG NGINX_VERSION=1.27.5
 
-FROM ${NAME_IMAGE_BASE}:${NAME_IMAGE_TAG}
-
-ARG VERSION_OS='3.20'
-ARG VERSION_PHP='8.3'
-ARG VERSION='unknown'
+FROM alpine:${ALPINE_VERSION}
+ARG ALPINE_VERSION
+ARG PHP_VERSION
+ARG NGINX_VERSION
 
 LABEL \
-    org.opencontainers.image.title="PHP + NGINX" \
-    org.opencontainers.image.description="Lightweight and secure image with PHP 8.3 and NGINX on Alpine" \
-    org.opencontainers.image.source="https://github.com/fontebasso/docker-php-nginx" \
-    org.opencontainers.image.version="${VERSION}" \
-    org.opencontainers.image.licenses="MIT" \
-    maintainer="Samuel Fontebasso <[email protected]>" \
-    alpine="${VERSION_OS}" \
-    php_version="${VERSION_PHP}"
+  org.opencontainers.image.title="PHP + NGINX (compiled from source)" \
+  org.opencontainers.image.description="Image built from Alpine with PHP and NGINX compiled from source using only permissive licenses (MIT/BSD/Apache)" \
+  org.opencontainers.image.source="https://github.com/fontebasso/docker-php-nginx" \
+  org.opencontainers.image.licenses="MIT" \
+  maintainer="Samuel Fontebasso <[email protected]>" \
+  alpine="${ALPINE_VERSION}" \
+  php_version="${PHP_VERSION}" \
+  nginx_version="${NGINX_VERSION}"
 
 ENV APP_DIR="/app"
 
 RUN set -eux; \
-    apk update; \
-    apk add --no-cache \
-      ca-certificates \
-      curl \
-      git \
-      icu-dev \
-      imagemagick \
-      jpeg-dev \
-      freetype-dev \
-      libpng-dev \
-      libxml2-dev \
-      libzip-dev \
-      oniguruma-dev \
-      sqlite \
-      nginx \
-      nginx-mod-http-headers-more \
-      runit \
-      openssl \
-      libjpeg-turbo-dev \
-      ncurses; \
-    apk add --no-cache --virtual .build-deps \
-      build-base \
-      autoconf \
-      linux-headers \
-      bzip2-dev \
-      curl-dev \
-      libmcrypt-dev \
-      imagemagick-dev \
-      wget \
-      gcc; \
-    docker-php-ext-configure gd --with-freetype --with-jpeg; \
-    docker-php-ext-configure pcntl --enable-pcntl; \
-    docker-php-ext-install -j$(nproc) \
-      bcmath \
-      bz2 \
-      calendar \
-      exif \
-      gd \
-      opcache \
-      pcntl \
-      pdo_mysql \
-      shmop \
-      sockets \
-      sysvmsg \
-      sysvsem \
-      sysvshm \
-      zip; \
-    git clone --depth=1 https://github.com/Imagick/imagick.git /tmp/imagick; \
-    cd /tmp/imagick; \
-    phpize; \
-    ./configure; \
-    make -j$(nproc); \
-    make install; \
-    docker-php-ext-enable --ini-name docker-php-ext-x-01-imagick.ini imagick; \
-    rm -rf /tmp/imagick; \
-    pecl install grpc; \
-    docker-php-ext-enable --ini-name docker-php-ext-x-02-grpc.ini grpc; \
-    apk del .build-deps; \
-    rm -rf /var/cache/apk/*; \
-    rm -rf /tmp/*; \
-    rm -f /var/log/nginx/access.log; \
-    ln -sf /dev/null /var/log/nginx/access.log; \
-    ln -sf /dev/stderr /var/log/nginx/error.log; \
-    mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
+  ln -sf /bin/false /usr/bin/tar; \
+  apk update; \
+  apk add --no-cache \
+    bash \
+    runit \
+    ca-certificates \
+    curl \
+    git \
+    tzdata \
+    libevent \
+    libzip \
+    libedit \
+    openssl \
+    zlib \
+    sqlite-libs \
+    oniguruma \
+    libarchive-tools;
+
+# --- Build NGINX ---
+RUN set -eux; \
+  apk add --no-cache --virtual .build-nginx-deps \
+    build-base \
+    pcre2-dev \
+    zlib-dev \
+    openssl-dev; \
+  curl -fsSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o /tmp/nginx.tar.gz; \
+  curl -fsSL https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v0.38.tar.gz -o /tmp/headers-more.tar.gz; \
+  mkdir -p /tmp/nginx /tmp/headers-more-nginx-module-0.38; \
+  bsdtar -xf /tmp/nginx.tar.gz -C /tmp; \
+  bsdtar -xf /tmp/headers-more.tar.gz -C /tmp; \
+  cd /tmp/nginx-${NGINX_VERSION}; \
+  ./configure \
+    --prefix=/opt/nginx \
+    --with-http_ssl_module \
+    --with-http_gzip_static_module \
+    --with-http_stub_status_module \
+    --with-http_realip_module \
+    --with-threads \
+    --with-pcre \
+    --add-module=/tmp/headers-more-nginx-module-0.38 \
+    --with-cc-opt='-O2 -fPIC' \
+    --conf-path=/etc/nginx/nginx.conf \
+    --error-log-path=/var/log/nginx/error.log \
+    --http-log-path=/var/log/nginx/access.log; \
+  make -j$(nproc); \
+  make install; \
+  ln -s /opt/nginx/sbin/nginx /usr/sbin/nginx; \
+  apk del .build-nginx-deps; \
+  rm -rf /tmp/nginx*
+
+# --- Build PHP ---
+RUN set -eux; \
+  apk add --no-cache --virtual .build-php-deps \
+    autoconf \
+    bzip2-dev \
+    curl-dev \
+    libedit-dev \
+    libxml2-dev \
+    libpng-dev \
+    jpeg-dev \
+    freetype-dev \
+    libsodium-dev \
+    libjpeg-turbo-dev \
+    libwebp-dev \
+    libxpm-dev \
+    libzip-dev \
+    sqlite-dev \
+    openssl-dev \
+    zlib-dev \
+    bzip2-dev \
+    oniguruma-dev \
+    linux-headers \
+    gcc \
+    g++ \
+    make \
+    pkgconf; \
+  curl -fsSL https://www.php.net/distributions/php-${PHP_VERSION}.tar.gz -o /tmp/php.tar.gz; \
+  bsdtar -xf /tmp/php.tar.gz -C /tmp; \
+  cd /tmp/php-${PHP_VERSION}; \
+  ./configure \
+    --prefix=/opt/php \
+    --enable-fpm \
+    --enable-gd \
+    --with-bz2 \
+    --with-freetype \
+    --with-jpeg \
+    --with-webp \
+    --with-xpm \
+    --with-png \
+    --with-openssl \
+    --with-zlib \
+    --with-curl \
+    --with-sodium \
+    --with-libedit \
+    --enable-mbstring \
+    --enable-bcmath \
+    --enable-exif \
+    --enable-pcntl \
+    --enable-opcache \
+    --enable-pdo \
+    --enable-shmop \
+    --enable-sockets \
+    --enable-sysvmsg \
+    --enable-sysvsem \
+    --enable-sysvshm \
+    --enable-calendar \
+    --with-pdo-mysql \
+    --with-pdo-sqlite \
+    --with-config-file-scan-dir=/opt/php/etc/conf.d \
+    --with-zip \
+    --disable-cgi \
+    --disable-phpdbg; \
+  make -j$(nproc); \
+  make install; \
+  cp sapi/fpm/php-fpm.conf /opt/php/etc/php-fpm.conf; \
+  cp sapi/fpm/www.conf /opt/php/etc/php-fpm.d/www.conf; \
+  cp php.ini-production /opt/php/lib/php.ini; \
+  ln -s /opt/php/sbin/php-fpm /usr/sbin/php-fpm; \
+  ln -s /opt/php/bin/php /usr/bin/php; \
+  ln -s /opt/php/bin/phpize /usr/bin/phpize; \
+  ln -s /opt/php/bin/pecl /usr/bin/pecl; \
+  ln -s /opt/php/bin/php-config /usr/bin/php-config; \
+  mkdir -p /opt/php/etc/conf.d; \
+  apk del .build-php-deps; \
+  rm -rf /tmp/php*
 
 COPY ./src /
-COPY ./custom_params.ini /usr/local/etc/php/conf.d/docker-php-ext-x-03-custom-params.ini
+COPY ./custom_params.ini /opt/php/etc/conf.d/php-03-custom-params.ini
 
 RUN set -eux; \
-    touch /env; \
-    chown -R www-data:www-data /env /app /var/log/nginx /etc/service /var/run /var/lib/nginx /run/nginx; \
-    chmod +x \
-      /sbin/runit-wrapper \
-      /sbin/runsvdir-start \
-      /etc/service/nginx/run \
-      /etc/service/php-fpm/run
+  apk add --no-cache \
+    libgomp \
+    libheif \
+    openjpeg \
+    librsvg \
+    libsodium \
+    libraw \
+    libwmf \
+    libxml2 \
+    sqlite-libs \
+    libzip \
+    freetype \
+    libjpeg-turbo \
+    libpng \
+    libwebp \
+    libxpm \
+    oniguruma \
+    libarchive-tools; \
+  apk del bash; \
+  touch /env; \
+  chmod +x \
+    /sbin/runit-wrapper \
+    /sbin/runsvdir-start \
+    /etc/service/*/run; \
+  adduser -S www-data -G www-data; \
+  mkdir -p \
+    /run/nginx \
+    /var/log/nginx \
+    /opt/nginx/client_body_temp; \
+  chown -R www-data:www-data \
+    /app /env /etc/service /opt/nginx /var/log/nginx /opt/php /tmp /run/nginx
 
 USER www-data
 WORKDIR /app
-EXPOSE 80/tcp
+
+EXPOSE 80
 
 CMD ["/sbin/runit-wrapper"]

README.md

@@ -12,11 +12,9 @@ This repository contains a Docker image for running high-performance PHP web app
 
 ## Features
 
-- **PHP 8.3:** Modern version with performance improvements and long-term support.
 - **Alpine Linux 3.20:** Minimal base for better security and smaller footprint.
+- **PHP 8.3:** Modern version with performance improvements and long-term support.
 - **Nginx:** Fast and reliable web server.
-- **Essential PHP Extensions:** Includes `bcmath`, `bz2`, `calendar`, `exif`, `gd`, `opcache`, `pcntl`, `pdo_mysql`, `shmop`, `sockets`, `sysvmsg`, `sysvsem`, `sysvshm`, `zip`, `imagick`, `grpc`.
-- **Pre-installed Libraries:** `git`, `icu-dev`, `imagemagick`, `freetype`, `jpeg`, `libpng`, `libxml2`, `libzip`, `oniguruma`, `curl`, `nginx-mod-http-headers-more`.
 - **Runit:** Lightweight init system for process supervision.
 - **Multi-arch builds:** Supports linux/amd64 and linux/arm64.