Also update legacy SAML2 library #63

Workflow file for this run

	name: Docker

	# This workflow uses actions that are not certified by GitHub.
	# They are provided by a third-party and are governed by
	# separate terms of service, privacy policy, and support
	# documentation.

	on:
	workflow_dispatch:
	push:
	branches: [ "main" ]
	# Publish semver tags as releases.
	tags: [ 'v..*' ]
	pull_request:
	branches: [ "main" ]

	env:
	# Use docker.io for Docker Hub if empty
	REGISTRY: ghcr.io
	# github.repository as <account>/<repo>
	IMAGE_NAME: ${{ github.repository }}
	# Set VERSION from tag if present, else fetch latest
	VERSION: ${{ github.ref_type == 'tag' && github.ref_name \|\| '' }}


	jobs:
	prepare:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	outputs:
	VERSION: ${{ steps.determine_version.outputs.VERSION }}
	steps:
	- name: Determine SimpleSAMLphp version
	id: determine_version
	run: \|
	if [ -z "${VERSION}" ]; then
	LATEST=$(curl -s https://api.github.com/repos/simplesamlphp/simplesamlphp/releases/latest \| jq -r .tag_name \| sed 's/^v//')
	echo "VERSION=$LATEST" >> $GITHUB_OUTPUT
	else
	echo "VERSION=${VERSION#v}" >> $GITHUB_OUTPUT
	fi
	env:
	VERSION: ${{ env.VERSION }}

	docker:
	needs: prepare
	runs-on: ${{ matrix.platform == 'linux/amd64' && 'ubuntu-latest' \|\| 'ubuntu-24.04-arm' }}
	strategy:
	fail-fast: false
	matrix:
	platform:
	- linux/amd64
	- linux/arm64
	permissions:
	contents: read
	packages: write
	# This is used to complete the identity challenge
	# with sigstore/fulcio when running outside of PRs.
	id-token: write
	env:
	VERSION: ${{ needs.prepare.outputs.VERSION }}

	steps:
	- name: Set platform pair
	id: set_platform_pair
	run: \|
	echo "platform_pair=${{ matrix.platform }}" \| sed 's#/#-#g' >> $GITHUB_OUTPUT
	- name: Checkout repository
	uses: actions/checkout@v3

	# Install the cosign tool except on PR
	# https://github.com/sigstore/cosign-installer
	- name: Install cosign
	if: github.event_name != 'pull_request'
	uses: sigstore/[email protected] #v2.6.0
	with:
	cosign-release: 'v2.2.0'

	# Added as suggestion to fix https://github.com/docker/buildx/issues/499#issuecomment-763920971
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	# Workaround: https://github.com/docker/build-push-action/issues/461
	- name: Setup Docker buildx
	uses: docker/setup-buildx-action@v3
	- name: Download SimpleSAMLphp release
	run: \|
	curl -L https://github.com/simplesamlphp/simplesamlphp/releases/download/v${{ env.VERSION }}/simplesamlphp-${{ env.VERSION }}-full.tar.gz --output simplesamlphp-version-full.tar.gz
	working-directory: ${{ github.workspace }}
	- name: Extract composer.json
	run: \|
	tar -xzf simplesamlphp-version-full.tar.gz simplesamlphp-${{ env.VERSION }}/composer.json --strip-components=1
	working-directory: ${{ github.workspace }}
	- name: Determine minimum supported PHP version
	id: php_version
	run: \|
	# Extract the PHP version constraint from composer.json
	PHP_CONSTRAINT=$(jq -r '.require.php' composer.json)
	# Try to extract the minimum version from a constraint like ">=8.2.0" or "^8.2"
	# Remove common operators and get the first version-like string
	MIN_VERSION=$(echo "$PHP_CONSTRAINT" \| grep -Eo '[0-9]+\.[0-9]+(\.[0-9]+)?' \| head -n1)
	# Reduce to major.minor (e.g., 8.2 from 8.2.23 or 8.2)
	PHP_VERSION=$(echo "$MIN_VERSION" \| awk -F. '{print $1 "." $2}')
	# Always use at least 8.4
	MINIMUM=8.4
	version_ge() { awk -v v1="$1" -v v2="$2" 'BEGIN { split(v1,a,"."); split(v2,b,"."); exit (a[1]>b[1] \|\| (a[1]==b[1] && a[2]>=b[2])) ? 0 : 1 }'; }
	if ! version_ge "$PHP_VERSION" "$MINIMUM"; then
	PHP_VERSION="$MINIMUM"
	fi
	echo "PHP_VERSION=$PHP_VERSION" >> $GITHUB_ENV
	echo "php_version=$PHP_VERSION" >> $GITHUB_OUTPUT
	working-directory: ${{ github.workspace }}
	env:
	COMPOSER_HOME: $HOME/.composer

	# Login against a Docker registry except on PR
	# https://github.com/docker/login-action
	- name: Log into registry ${{ env.REGISTRY }}
	if: github.event_name != 'pull_request'
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# Extract metadata (tags, labels) for Docker
	# https://github.com/docker/metadata-action
	- name: Extract Docker metadata (PHP image)
	id: meta-php
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php
	- name: Extract Docker metadata (PHP image, modified for ADFS MFA extension)
	id: meta-php-adfsmfa
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa
	- name: Extract Docker metadata (nginx image)
	id: meta-nginx
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx

	# Build and push Docker image with Buildx (don't push on PR)
	# https://github.com/docker/build-push-action
	- name: Build and push PHP image
	id: build-and-push-php
	uses: docker/build-push-action@v6
	with:
	context: .
	platforms: ${{ matrix.platform }}
	target: phpfpm
	tags: \|
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php:v${{ env.VERSION }}-${{ steps.set_platform_pair.outputs.platform_pair }}
	labels: ${{ steps.meta-php.outputs.labels }}
	outputs: type=image,push=${{ github.event_name != 'pull_request' }}
	file: ./Dockerfile
	build-args: \|
	PHP_VERSION=${{ steps.php_version.outputs.php_version }}
	- name: Build and push PHP image (modified for ADFS MFA extension)
	id: build-and-push-php-adfsmfa
	uses: docker/build-push-action@v6
	with:
	context: .
	platforms: ${{ matrix.platform }}
	target: php-adfsmfa
	tags: \|
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa:v${{ env.VERSION }}-${{ steps.set_platform_pair.outputs.platform_pair }}
	labels: ${{ steps.meta-php-adfsmfa.outputs.labels }}
	outputs: type=image,push=${{ github.event_name != 'pull_request' }}
	file: ./Dockerfile
	build-args: \|
	PHP_VERSION=${{ steps.php_version.outputs.php_version }}
	- name: Build and push nginx image
	id: build-and-push-nginx
	uses: docker/build-push-action@v6
	with:
	context: .
	platforms: ${{ matrix.platform }}
	target: nginx
	tags: \|
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx:v${{ env.VERSION }}-${{ steps.set_platform_pair.outputs.platform_pair }}
	labels: ${{ steps.meta-nginx.outputs.labels }}
	outputs: type=image,push=${{ github.event_name != 'pull_request' }}
	file: ./Dockerfile
	build-args: \|
	PHP_VERSION=${{ steps.php_version.outputs.php_version }}

	# Sign the resulting Docker image digest except on PRs.
	# This will only write to the public Rekor transparency log when the Docker
	# repository is public to avoid leaking data. If you would like to publish
	# transparency data even for private images, pass --force to cosign below.
	# https://github.com/sigstore/cosign
	- name: Sign the published PHP image
	if: ${{ github.event_name != 'pull_request' }}
	env:
	COSIGN_EXPERIMENTAL: "true"
	# This step uses the identity token to provision an ephemeral certificate
	# against the sigstore community Fulcio instance.
	run: echo "${{ steps.meta-php.outputs.tags }}" \| xargs -I {} cosign sign {}@${{ steps.build-and-push-php.outputs.digest }} -y
	- name: Sign the published PHP image (modified for ADFS MFA extension)
	if: ${{ github.event_name != 'pull_request' }}
	env:
	COSIGN_EXPERIMENTAL: "true"
	# This step uses the identity token to provision an ephemeral certificate
	# against the sigstore community Fulcio instance.
	run: echo "${{ steps.meta-php-adfsmfa.outputs.tags }}" \| xargs -I {} cosign sign {}@${{ steps.build-and-push-php-adfsmfa.outputs.digest }} -y
	- name: Sign the published nginx image
	if: ${{ github.event_name != 'pull_request' }}
	env:
	COSIGN_EXPERIMENTAL: "true"
	run: echo "${{ steps.meta-nginx.outputs.tags }}" \| xargs -I {} cosign sign {}@${{ steps.build-and-push-nginx.outputs.digest }} -y

	merge:
	needs: [docker, prepare]
	runs-on: ubuntu-latest
	if: ${{ github.event_name != 'pull_request' }}
	permissions:
	contents: read
	packages: write
	env:
	VERSION: ${{ needs.prepare.outputs.VERSION }}
	steps:
	# Login against a Docker registry except on PR
	# https://github.com/docker/login-action
	- name: Login to registry ${{ env.REGISTRY }}
	if: github.event_name != 'pull_request'
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Determine if this is the latest release
	id: is_latest
	run: \|
	LATEST=$(curl -s https://api.github.com/repos/simplesamlphp/simplesamlphp/releases/latest \| jq -r .tag_name \| sed 's/^v//')
	if [ "$LATEST" = "${VERSION}" ]; then
	echo "is_latest=true" >> $GITHUB_OUTPUT
	else
	echo "is_latest=false" >> $GITHUB_OUTPUT
	fi
	env:
	VERSION: ${{ env.VERSION }}
	- name: Create manifest list and push (php)
	run: \|
	docker buildx imagetools create \
	-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php:v${{ env.VERSION }} \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php:v${{ env.VERSION }}-linux-amd64 \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php:v${{ env.VERSION }}-linux-arm64
	env:
	VERSION: ${{ env.VERSION }}
	- name: Tag PHP image as latest
	if: steps.is_latest.outputs.is_latest == 'true'
	run: \|
	docker buildx imagetools create \
	-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php:latest \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php:v${{ env.VERSION }}-linux-amd64 \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php:v${{ env.VERSION }}-linux-arm64
	env:
	VERSION: ${{ env.VERSION }}
	- name: Inspect PHP image
	run: \|
	docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php:v${{ env.VERSION }}
	- name: Create manifest list and push (php, modified for ADFS MFA extension)
	run: \|
	docker buildx imagetools create \
	-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa:v${{ env.VERSION }} \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa:v${{ env.VERSION }}-linux-amd64 \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa:v${{ env.VERSION }}-linux-arm64
	env:
	VERSION: ${{ env.VERSION }}
	- name: Tag PHP image (modified for ADFS MFA extension) as latest
	if: steps.is_latest.outputs.is_latest == 'true'
	run: \|
	docker buildx imagetools create \
	-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa:latest \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa:v${{ env.VERSION }}-linux-amd64 \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa:v${{ env.VERSION }}-linux-arm64
	env:
	VERSION: ${{ env.VERSION }}
	- name: Inspect PHP image (modified for ADFS MFA extension)
	run: \|
	docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-php-adfsmfa:v${{ env.VERSION }}
	- name: Create manifest list and push (nginx)
	run: \|
	docker buildx imagetools create \
	-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx:v${{ env.VERSION }} \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx:v${{ env.VERSION }}-linux-amd64 \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx:v${{ env.VERSION }}-linux-arm64
	env:
	VERSION: ${{ env.VERSION }}
	- name: Tag nginx image as latest
	if: steps.is_latest.outputs.is_latest == 'true'
	run: \|
	docker buildx imagetools create \
	-t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx:latest \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx:v${{ env.VERSION }}-linux-amd64 \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx:v${{ env.VERSION }}-linux-arm64
	env:
	VERSION: ${{ env.VERSION }}
	- name: Inspect nginx image
	run: \|
	docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-nginx:v${{ env.VERSION }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Also update legacy SAML2 library #63

Workflow file

Also update legacy SAML2 library #63

Uh oh!

Workflow file for this run