Merge pull request #29 from sherifabdlnaby/php-8.1

- Use PHP 8.1 by default
- Add `command-loop-w-cooldown` Script 
- Security Patches

Author: sherifabdlnaby

.github/auto-release.yml

@@ -22,17 +22,26 @@ version-resolver:
   default: 'patch'
 
 categories:
+  - title: '🚀 Features'
+    labels:
+      - 'feature'
   - title: '🚀 Enhancements'
     labels:
       - 'enhancement'
-      - 'feature'
-      - 'patch'
   - title: '🐛 Bug Fixes'
     labels:
       - 'fix'
       - 'bugfix'
       - 'bug'
       - 'hotfix'
+  - title: '⬆️ Upgrades & Patches'
+    labels:
+      - 'patch'
+      - 'upgrades'
+  - title: '🔒 Security Patches'
+    labels:
+      - 'security-patch'
+      - 'security-fix'
   - title: '🤖 Automatic Updates'
     labels:
       - 'auto-update'
@@ -44,15 +53,22 @@ autolabeler:
   - label: 'chore'
     files:
       - '*.md'
+
   - label: 'enhancement'
-    title: '/enhancement/i'
+    title: '/enhancement/✨i'
 
   - label: 'bugfix'
     title: '/bugfix/i'
 
   - label: 'bug'
     title: '/🐛|🐞|fixes/i'
 
+  - label: 'security-patch'
+    title: '/🔒|security fix/i'
+
+  - label: 'upgrades'
+    title: '/⬆️|upgrade/i'
+
   - label: 'auto-update'
     title: '/🤖/i'
 
@@ -71,10 +87,3 @@ template: |
 
   $CHANGES
 
-replacers:
-  # Remove irrelevant information from Renovate bot
-  - search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
-    replace: ''
-  # Remove Renovate bot banner image
-  - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
-    replace: ''

.github/workflows/build-test-scan.yml

@@ -35,8 +35,8 @@ jobs:
         with:
           dev: no
           command: create-project
-          args: --no-install --no-scripts symfony/symfony-demo app
-          php_version: 7.4
+          args: --no-install --no-scripts symfony/symfony-demo:v2.1.0 app
+          php_version: 8.1
       - name: Build & Deploy
         run: make deploy
       - name: Test the App Startup

Dockerfile

@@ -1,6 +1,6 @@
 # ---------------------------------------------- Build Time Arguments --------------------------------------------------
-ARG PHP_VERSION="7.4"
-ARG PHP_ALPINE_VERSION="3.15"
+ARG PHP_VERSION="8.1"
+ARG PHP_ALPINE_VERSION="3.16"
 ARG NGINX_VERSION="1.21"
 ARG COMPOSER_VERSION="2"
 ARG XDEBUG_VERSION="3.1.3"
@@ -30,9 +30,9 @@ SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
 # ------------------------------------- Install Packages Needed Inside Base Image --------------------------------------
 
-RUN IMAGE_DEPS="tini gettext"; \
-    RUNTIME_DEPS="fcgi"; \
-    apk add --no-cache ${IMAGE_DEPS} ${RUNTIME_DEPS}
+RUN RUNTIME_DEPS="tini fcgi"; \
+    SECURITY_UPGRADES="curl"; \
+    apk add --no-cache --upgrade ${RUNTIME_DEPS} ${SECURITY_UPGRADES}
 
 # ---------------------------------------- Install / Enable PHP Extensions ---------------------------------------------
 
@@ -57,17 +57,12 @@ RUN apk add --no-cache --virtual .build-deps \
  # - Detect Runtime Dependencies of the installed extensions. \
  # - src: https://github.com/docker-library/wordpress/blob/master/latest/php8.0/fpm-alpine/Dockerfile \
     out="$(php -r 'exit(0);')"; \
-		[ -z "$out" ]; \
-		err="$(php -r 'exit(0);' 3>&1 1>&2 2>&3)"; \
-		[ -z "$err" ]; \
-		\
-		extDir="$(php -r 'echo ini_get("extension_dir");')"; \
+		[ -z "$out" ]; err="$(php -r 'exit(0);' 3>&1 1>&2 2>&3)"; \
+		[ -z "$err" ]; extDir="$(php -r 'echo ini_get("extension_dir");')"; \
 		[ -d "$extDir" ]; \
 		runDeps="$( \
 			scanelf --needed --nobanner --format '%n#p' --recursive "$extDir" \
-				| tr ',' '\n' \
-				| sort -u \
-				| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+				| tr ',' '\n' | sort -u | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 		)"; \
 		# Save Runtime Deps in a virtual deps
 		apk add --no-network --virtual .php-extensions-rundeps $runDeps; \
@@ -99,12 +94,12 @@ COPY docker/fpm/*.conf  /usr/local/etc/php-fpm.d/
 # --------------------------------------------------- Scripts ----------------------------------------------------------
 
 COPY docker/entrypoint/*-base docker/post-build/*-base docker/pre-run/*-base \
-     docker/fpm/healthcheck-fpm \
-     docker/command-loop        \
+     docker/fpm/healthcheck-fpm		\
+     docker/scripts/command-loop*	\
      # to
      /usr/local/bin/
 
-RUN  chmod +x /usr/local/bin/*-base /usr/local/bin/healthcheck-fpm /usr/local/bin/command-loop
+RUN  chmod +x /usr/local/bin/*-base /usr/local/bin/healthcheck-fpm /usr/local/bin/command-loop*
 
 # ---------------------------------------------------- Composer --------------------------------------------------------
 
@@ -274,6 +269,13 @@ ENTRYPOINT ["nginx-entrypoint"]
 
 FROM nginx AS web
 
+USER root
+
+RUN SECURITY_UPGRADES="curl"; \
+    apk add --no-cache --upgrade ${SECURITY_UPGRADES}
+
+USER www-data
+
 # Copy Public folder + Assets that's going to be served from Nginx
 COPY --chown=www-data:www-data --from=app /app/public /app/public
 

docker/command-loop renamed to docker/scripts/command-loop

@@ -41,7 +41,4 @@ while true; do
         echo "Command exited with status code $STATUS, loop interrupted. shutting down...";
         exit $STATUS;
     fi
-
-    # Add 0.5 Sec sleep to avoid instant shutdowns
-    sleep 0.5
 done

docker/scripts/command-loop-w-cooldown

@@ -0,0 +1,50 @@
+#!/bin/sh
+# Reference: https://github.com/facile-it/terminable-loop-command
+# When running a PHP application, you may encounter the need of a background command that runs continuously.
+# You can try to write it as a long running process, but it can be prone to memory leaks and other issues.
+#
+# With this small Shell+PHP combination, you can have a simple loop that:
+#   1. starts the command
+#   2. does something
+#   3. sleeps for a custom amount of time
+#   4. shuts down and restarts back again
+#  5. The shell script intercepts SIGTERM/SIGINT signals so, when they are received, the PHP script is stopped ASAP but gracefully,
+#     since the execution of the body of the command is never truncated.
+
+# This means that you can easily obtain a daemon PHP script without running in memory issues; if you run this in a Kubernetes environment this will be very powerful, since the orchestrator will take care of running the script,
+# and at the same time it will apply the proper restart policies in case of crashes. Last but not least, the signal handling will play nice with shutdown requests, like during the roll out of a new deployment.
+
+
+cooldown=${@:1:1}
+command=${@:2}
+
+echo "Starting command: '$command' with cooldown: '$cooldown' seconds"
+
+# Send Termination to Child
+_term() {
+  kill -TERM $CHILD 2>/dev/null
+  wait $CHILD
+}
+
+# If we received termination signal we need to pass it to child
+trap _term TERM
+
+while true; do
+    # Start Command in BG
+    $command &
+
+    # Get It's PID
+    CHILD=$!
+
+    # Wait for it to be finished
+    wait $CHILD
+
+    # Get its status code and break if it exited.
+    STATUS=$?
+    if [ $STATUS -ne 0 ]; then
+        echo "Command exited with status code $STATUS, loop interrupted. shutting down...";
+        exit $STATUS;
+    fi
+
+    sleep $cooldown
+done