From ec572768490ac0af4fcdb1272e0b94f384cb5eb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= <kevin@dunglas.fr>
Date: Wed, 8 Apr 2026 17:29:59 +0200
Subject: [PATCH] ci: improve security by using GHA environments

---
 .github/workflows/docker.yaml    | 10 ++++++----
 .github/workflows/docs.yaml      |  1 +
 .github/workflows/static.yaml    | 15 +++++++++------
 .github/workflows/translate.yaml |  1 +
 4 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index 36b66cc28d..c1c29bbfc3 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -80,6 +80,7 @@ jobs:
           VERSION: ${{ (github.ref_type == 'tag' && github.ref_name) || steps.check.outputs.ref || 'dev' }}
           PHP_VERSION: ${{ steps.check.outputs.php_version }}
   build:
+    environment: dockerhub
     runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
     needs:
       - prepare
@@ -129,8 +130,8 @@ jobs:
         uses: docker/login-action@v4
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build
         id: build
         uses: docker/bake-action@v7
@@ -204,6 +205,7 @@ jobs:
 
   # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
   push:
+    environment: dockerhub
     runs-on: ubuntu-24.04
     needs:
       - prepare
@@ -227,8 +229,8 @@ jobs:
         uses: docker/login-action@v4
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Create manifest list and push
         working-directory: /tmp/metadata
         run: |
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 5b9316b9cb..3423f553a3 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -16,6 +16,7 @@ concurrency:
   cancel-in-progress: true
 jobs:
   deploy:
+    environment: website
     runs-on: ubuntu-slim
     steps:
       - name: Trigger website deployment
diff --git a/.github/workflows/static.yaml b/.github/workflows/static.yaml
index d1557905a0..165c48bcb2 100644
--- a/.github/workflows/static.yaml
+++ b/.github/workflows/static.yaml
@@ -84,6 +84,7 @@ jobs:
           VERSION: ${{ steps.check.outputs.ref || 'dev' }}
 
   build-linux-musl:
+    environment: dockerhub
     permissions:
       contents: write
       id-token: write
@@ -121,8 +122,8 @@ jobs:
         uses: docker/login-action@v4
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Set VERSION
         run: |
           if [ "${GITHUB_REF_TYPE}" == "tag" ]; then
@@ -219,6 +220,7 @@ jobs:
           BINARY: ./frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}
 
   build-linux-gnu:
+    environment: dockerhub
     permissions:
       contents: write
       id-token: write
@@ -289,8 +291,8 @@ jobs:
         uses: docker/login-action@v4
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build
         id: build
         uses: docker/bake-action@v7
@@ -377,6 +379,7 @@ jobs:
 
   # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
   push:
+    environment: dockerhub
     runs-on: ubuntu-24.04
     needs:
       - prepare
@@ -402,8 +405,8 @@ jobs:
         uses: docker/login-action@v4
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
         with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Create manifest list and push
         working-directory: /tmp/metadata
         run: |
diff --git a/.github/workflows/translate.yaml b/.github/workflows/translate.yaml
index cfc72d516e..c8bf52b099 100644
--- a/.github/workflows/translate.yaml
+++ b/.github/workflows/translate.yaml
@@ -13,6 +13,7 @@ permissions:
   pull-requests: write
 jobs:
   build:
+    environment: translate
     name: Translate Docs
     runs-on: ubuntu-latest
     steps: