Merge commit from fork

Compute base-image fingerprint from bake metadata and store it under a vendor label. Add a local test script to reproduce the fingerprint and compare runs.

Co-authored-by: Tim Nelles <tim.nelles@denkwerk.com>

Author: opctim

.github/workflows/docker.yaml

@@ -50,54 +50,19 @@ jobs:
       php85_version: ${{ steps.check.outputs.php85_version }}
       skip: ${{ steps.check.outputs.skip }}
       ref: ${{ steps.check.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || '' }}
+      base_fingerprint: ${{ steps.check.outputs.base_fingerprint }}
     steps:
-      - name: Check PHP versions
-        id: check
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          PHP_82_LATEST=$(skopeo inspect docker://docker.io/library/php:8.2 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-          PHP_83_LATEST=$(skopeo inspect docker://docker.io/library/php:8.3 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-          PHP_84_LATEST=$(skopeo inspect docker://docker.io/library/php:8.4 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-          PHP_85_LATEST=$(skopeo inspect docker://docker.io/library/php:8.5 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-          {
-            echo php_version="${PHP_82_LATEST},${PHP_83_LATEST},${PHP_84_LATEST},${PHP_85_LATEST}"
-            echo php82_version="${PHP_82_LATEST//./-}"
-            echo php83_version="${PHP_83_LATEST//./-}"
-            echo php84_version="${PHP_84_LATEST//./-}"
-            echo php85_version="${PHP_85_LATEST//./-}"
-          } >> "${GITHUB_OUTPUT}"
-
-          # Check if the Docker images must be rebuilt
-          if [[ "${GITHUB_EVENT_NAME}" != "schedule"  ]]; then
-              echo skip=false >> "${GITHUB_OUTPUT}"
-              exit 0
-          fi
-
-          FRANKENPHP_LATEST_TAG=$(gh release view --repo php/frankenphp --json tagName --jq '.tagName')
-          FRANKENPHP_LATEST_TAG_NO_PREFIX="${FRANKENPHP_LATEST_TAG#v}"
-          FRANKENPHP_82_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:"${FRANKENPHP_LATEST_TAG_NO_PREFIX}"-php8.2 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-          FRANKENPHP_83_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:"${FRANKENPHP_LATEST_TAG_NO_PREFIX}"-php8.3 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-          FRANKENPHP_84_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:"${FRANKENPHP_LATEST_TAG_NO_PREFIX}"-php8.4 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-          FRANKENPHP_85_LATEST=$(skopeo inspect docker://docker.io/dunglas/frankenphp:"${FRANKENPHP_LATEST_TAG_NO_PREFIX}"-php8.5 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
-
-          if [[ "${FRANKENPHP_82_LATEST}" == "${PHP_82_LATEST}" ]] && [[ "${FRANKENPHP_83_LATEST}" == "${PHP_83_LATEST}" ]] && [[ "${FRANKENPHP_84_LATEST}" == "${PHP_84_LATEST}" ]] && [[ "${FRANKENPHP_85_LATEST}" == "${PHP_85_LATEST}" ]]; then
-              echo skip=true >> "${GITHUB_OUTPUT}"
-              exit 0
-          fi
-
-          {
-            echo ref="${FRANKENPHP_LATEST_TAG}"
-            echo skip=false
-          } >> "${GITHUB_OUTPUT}"
       - uses: actions/checkout@v6
-        if: ${{ !fromJson(steps.check.outputs.skip) }}
         with:
-          ref: ${{ steps.check.outputs.ref }}
+          fetch-depth: 0
           persist-credentials: false
       - name: Set up Docker Buildx
-        if: ${{ !fromJson(steps.check.outputs.skip) }}
         uses: docker/setup-buildx-action@v3
+      - name: Check PHP versions and base image fingerprint
+        id: check
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./scripts/ci/compute-fingerprint.sh
       - name: Create variants matrix
         if: ${{ !fromJson(steps.check.outputs.skip) }}
         id: matrix
@@ -192,6 +157,7 @@ jobs:
           SHA: ${{ github.sha }}
           VERSION: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref || 'dev' }}
           PHP_VERSION: ${{ needs.prepare.outputs.php_version }}
+          BASE_FINGERPRINT: ${{ needs.prepare.outputs.base_fingerprint }}
       - # Workaround for https://github.com/actions/runner/pull/2477#issuecomment-1501003600
         name: Export metadata
         if: fromJson(needs.prepare.outputs.push)

docker-bake.hcl

@@ -14,6 +14,10 @@ variable "GO_VERSION" {
     default = "1.25"
 }
 
+variable "BASE_FINGERPRINT" {
+    default = ""
+}
+
 variable "SPC_OPT_BUILD_ARGS" {
     default = ""
 }
@@ -120,6 +124,7 @@ target "default" {
         "org.opencontainers.image.created" = "${timestamp()}"
         "org.opencontainers.image.version" = VERSION
         "org.opencontainers.image.revision" = SHA
+        "dev.frankenphp.base.fingerprint" = BASE_FINGERPRINT
     }
     args = {
         FRANKENPHP_VERSION = VERSION
@@ -146,6 +151,7 @@ target "static-builder-musl" {
         "org.opencontainers.image.created" = "${timestamp()}"
         "org.opencontainers.image.version" = VERSION
         "org.opencontainers.image.revision" = SHA
+        "dev.frankenphp.base.fingerprint" = BASE_FINGERPRINT
     }
     args = {
         FRANKENPHP_VERSION = VERSION
@@ -171,6 +177,7 @@ target "static-builder-gnu" {
         "org.opencontainers.image.created" = "${timestamp()}"
         "org.opencontainers.image.version" = VERSION
         "org.opencontainers.image.revision" = SHA
+        "dev.frankenphp.base.fingerprint" = BASE_FINGERPRINT
     }
     args = {
         FRANKENPHP_VERSION = VERSION

scripts/ci/compute-fingerprint.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+write_output() {
+  if [[ -n "${GITHUB_OUTPUT:-}" ]]; then
+    echo "$1" >> "${GITHUB_OUTPUT}"
+  else
+    echo "$1"
+  fi
+}
+
+get_php_version() {
+  local version="$1"
+  skopeo inspect "docker://docker.io/library/php:${version}" \
+    --override-os linux \
+    --override-arch amd64 |
+    jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")'
+}
+
+PHP_82_LATEST="$(get_php_version 8.2)"
+PHP_83_LATEST="$(get_php_version 8.3)"
+PHP_84_LATEST="$(get_php_version 8.4)"
+PHP_85_LATEST="$(get_php_version 8.5)"
+
+PHP_VERSION="${PHP_82_LATEST},${PHP_83_LATEST},${PHP_84_LATEST},${PHP_85_LATEST}"
+write_output "php_version=${PHP_VERSION}"
+write_output "php82_version=${PHP_82_LATEST//./-}"
+write_output "php83_version=${PHP_83_LATEST//./-}"
+write_output "php84_version=${PHP_84_LATEST//./-}"
+write_output "php85_version=${PHP_85_LATEST//./-}"
+
+if [[ "${GITHUB_EVENT_NAME:-}" == "schedule" ]]; then
+  FRANKENPHP_LATEST_TAG="$(gh release view --repo php/frankenphp --json tagName --jq '.tagName')"
+  git checkout "${FRANKENPHP_LATEST_TAG}"
+fi
+
+METADATA="$(PHP_VERSION="${PHP_VERSION}" docker buildx bake --print | jq -c)"
+
+BASE_IMAGES=()
+while IFS= read -r image; do
+  BASE_IMAGES+=("${image}")
+done < <(jq -r '
+  .target[]?.contexts? | to_entries[]?
+  | select(.value | startswith("docker-image://"))
+  | .value
+  | sub("^docker-image://"; "")
+' <<< "${METADATA}" | sort -u)
+
+BASE_IMAGE_DIGESTS=()
+for image in "${BASE_IMAGES[@]}"; do
+  if [[ "${image}" == */* ]]; then
+    ref="docker://docker.io/${image}"
+  else
+    ref="docker://docker.io/library/${image}"
+  fi
+  digest="$(skopeo inspect "${ref}" \
+    --override-os linux \
+    --override-arch amd64 \
+    --format '{{.Digest}}')"
+  BASE_IMAGE_DIGESTS+=("${image}@${digest}")
+done
+
+BASE_FINGERPRINT="$(printf '%s\n' "${BASE_IMAGE_DIGESTS[@]}" | sort | sha256sum | awk '{print $1}')"
+write_output "base_fingerprint=${BASE_FINGERPRINT}"
+
+if [[ "${GITHUB_EVENT_NAME:-}" != "schedule" ]]; then
+  write_output "skip=false"
+  exit 0
+fi
+
+FRANKENPHP_LATEST_TAG_NO_PREFIX="${FRANKENPHP_LATEST_TAG#v}"
+EXISTING_FINGERPRINT=$(
+  skopeo inspect "docker://docker.io/dunglas/frankenphp:${FRANKENPHP_LATEST_TAG_NO_PREFIX}" \
+    --override-os linux \
+    --override-arch amd64 |
+    jq -r '.Labels["dev.frankenphp.base.fingerprint"] // empty'
+)
+
+if [[ -n "${EXISTING_FINGERPRINT}" ]] && [[ "${EXISTING_FINGERPRINT}" == "${BASE_FINGERPRINT}" ]]; then
+  write_output "skip=true"
+  exit 0
+fi
+
+write_output "ref=${FRANKENPHP_LATEST_TAG}"
+write_output "skip=false"

scripts/ci/verify_image_tags.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+PHP_VERSION="${PHP_VERSION:-}"
+GO_VERSION="${GO_VERSION:-}"
+USE_LATEST_PHP="${USE_LATEST_PHP:-0}"
+
+if [[ -z "${GO_VERSION}" ]]; then
+  GO_VERSION="$(awk -F'"' '/variable "GO_VERSION"/ {f=1} f && /default/ {print $2; exit}' docker-bake.hcl)"
+  GO_VERSION="${GO_VERSION:-1.25}"
+fi
+
+if [[ -z "${PHP_VERSION}" ]]; then
+  PHP_VERSION="$(awk -F'"' '/variable "PHP_VERSION"/ {f=1} f && /default/ {print $2; exit}' docker-bake.hcl)"
+  PHP_VERSION="${PHP_VERSION:-8.2,8.3,8.4,8.5}"
+fi
+
+if [[ "${USE_LATEST_PHP}" == "1" ]]; then
+  PHP_82_LATEST=$(skopeo inspect docker://docker.io/library/php:8.2 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
+  PHP_83_LATEST=$(skopeo inspect docker://docker.io/library/php:8.3 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
+  PHP_84_LATEST=$(skopeo inspect docker://docker.io/library/php:8.4 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
+  PHP_85_LATEST=$(skopeo inspect docker://docker.io/library/php:8.5 --override-os linux --override-arch amd64 | jq -r '.Env[] | select(test("^PHP_VERSION=")) | sub("^PHP_VERSION="; "")')
+  PHP_VERSION="${PHP_82_LATEST},${PHP_83_LATEST},${PHP_84_LATEST},${PHP_85_LATEST}"
+fi
+
+OS_LIST=()
+while IFS= read -r os; do
+  OS_LIST+=("${os}")
+done < <(python3 - <<'PY'
+import re
+
+with open("docker-bake.hcl", "r", encoding="utf-8") as f:
+    data = f.read()
+
+# Find the first "os = [ ... ]" block and extract quoted values
+m = re.search(r'os\s*=\s*\[(.*?)\]', data, re.S)
+if not m:
+    raise SystemExit(1)
+
+vals = re.findall(r'"([^"]+)"', m.group(1))
+for v in vals:
+    print(v)
+PY
+)
+
+IFS=',' read -r -a PHP_VERSIONS <<< "${PHP_VERSION}"
+
+BASE_IMAGES=()
+for os in "${OS_LIST[@]}"; do
+  BASE_IMAGES+=("golang:${GO_VERSION}-${os}")
+  for pv in "${PHP_VERSIONS[@]}"; do
+    BASE_IMAGES+=("php:${pv}-zts-${os}")
+  done
+done
+
+BASE_IMAGES=($(printf '%s\n' "${BASE_IMAGES[@]}" | sort -u))
+
+BASE_IMAGE_DIGESTS=()
+for image in "${BASE_IMAGES[@]}"; do
+  if [[ "${image}" == */* ]]; then
+    ref="docker://docker.io/${image}"
+  else
+    ref="docker://docker.io/library/${image}"
+  fi
+  digest="$(skopeo inspect "${ref}" --override-os linux --override-arch amd64 --format '{{.Digest}}')"
+  BASE_IMAGE_DIGESTS+=("${image}@${digest}")
+done
+
+hash_cmd="sha256sum"
+if ! command -v "${hash_cmd}" >/dev/null 2>&1; then
+  hash_cmd="shasum -a 256"
+fi
+
+fingerprint="$(printf '%s\n' "${BASE_IMAGE_DIGESTS[@]}" | sort | ${hash_cmd} | awk '{print $1}')"
+
+echo "PHP_VERSION=${PHP_VERSION}"
+echo "GO_VERSION=${GO_VERSION}"
+echo "OS_LIST=${OS_LIST[*]}"
+echo "Base images:"
+printf '  %s\n' "${BASE_IMAGES[@]}"
+echo "Fingerprint: ${fingerprint}"